-1

This is just for vulnerability testing purpose only

Just to find a way to overcome XSS attack

I am trying to display error message if the textbox field is empty.

But when I clicked submit button it only show the error message on the other(db_connection.php) page, although it does not insert the data into my database. I want it to display that error message on the same page with the form.

This is my index.php

<html>
    <head>
        <meta charset="UTF-8">
        <title>BadStore.net - Sign our Guestbook</title>
    </head>
    <body>
        <?php
  
        ?>
        <td width="615">
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr>
                <td bgcolor="#333333"></td>
            </tr>
        </tbody>
      </table>
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr bgcolor="#ecece0"></tr>
       
            <tr bgcolor="#333333"></tr>
        </tbody>
      </table>
     
     
            <h1>Sign our Guestbook!</h1>
            <hr><p>Please complete this form to sign our Guestbook.  The email field is not required, but helps us contact you to respond to your feedback.  Thanks!</p><p></p><hr>
   <form method="post" action="db_connection.php">
            <table border="0" cellpadding="10">
        
        <tbody>
            <tr>
                <td>Your Name:</td> <td><input type="text" name="name" size="30"></td>
            </tr>
            <tr>
                <td>Email:</td> <td><input type="text" name="email" size="40"></td>
            </tr>
            <tr>
                <td valign="TOP">Comments:</td> 
                <td><textarea name="comments" cols="60" rows="4"></textarea></td>
            </tr>
        </tbody>
    </table>
        <hr>
        <center><input type="submit" name="submit" value="Add Entry">  <input type="reset"></center></font></td>
        </form>

    </body>
</html>

This is my db_connection.php

<?php
 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $db = "xss";
 $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);
echo "<a href=\"javascript:history.go(-1)\">GO BACK</a>";
 if(isset($_POST['submit']))
        {
     if(!empty(($_POST['name'])) && !empty(($_POST['email'])) && !empty(($_POST['comments'])))
     {    
            $Name= htmlspecialchars($_POST['name']);
            $Email=htmlspecialchars($_POST['email']);
            $Comments=htmlspecialchars($_POST['comments']);
            
            $result="INSERT into form(Name,Email,Comments) values('$Name','$Email','$Comments')";
            $run = mysqli_query($conn, $result) or die("Connect failed: %s\n". $conn -> error);
            
     }
     else{
         echo "Please fill in all the information!";
     }
        }
        mysqli_close($conn);
?>
 
        
<?php


 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $db = "xss";
 $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);


$sql = "Select * from form";
$abc = mysqli_query($conn,$sql);
?>      
        <table align="center" border="1px" style="width:600px; line-height:40px;"> 
    <tr> 
        <th colspan="4"><h2>Guestbook</h2></th> 
        </tr> 
              <th> No </th> 
              <th> Name </th> 
              <th> Email </th> 
              <th> Comments </th> 
              
        </tr> 
        
        <?php while($rows=mysqli_fetch_assoc($abc)) 
        { 
        ?> 
        <tr> <td><?php echo $rows['No']; ?></td> 
                <td><?php echo $rows['Name']; ?></td> 
        <td><?php echo $rows['Email']; ?></td> 
        <td><?php echo $rows['Comments']; ?></td> 
        </tr> 
    <?php 
               } 
                mysqli_close($conn);
          ?> 
</table>
TryHard
  • 11
  • 3
  • 1
    It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) – Dharman Apr 02 '21 at 13:38
  • I would _not_ submit to a file named `db_connection.php` (misleading name, since it doesn't seem to only connect to a database). Submit to the same page (`action=""`) and handle everything there. – brombeer Apr 02 '21 at 13:38
  • Do not use `htmlspecialchars()` on the data going into the database. This function is meant to be used only when outputting to HTML – Dharman Apr 02 '21 at 13:39
  • Hi all, i just edited the post ya it is just for testing purpose – TryHard Apr 02 '21 at 13:45

1 Answers1

0

You can add required to your <input>s so you will not have to check and display an error message(Please fill in all the information!) in the other page :
<input type"#" name="#" required>.
For the Database error message, if you want it to be displayed on the same page with the move your code to it like this:

<?php
 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $db = "xss";
 $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);
echo "<a href=\"javascript:history.go(-1)\">GO BACK</a>";
 if(isset($_POST['submit']))
        {
        
            $Name= htmlspecialchars($_POST['name']);
            $Email=htmlspecialchars($_POST['email']);
            $Comments=htmlspecialchars($_POST['comments']);
            
            $result="INSERT into form(Name,Email,Comments) values('$Name','$Email','$Comments')";
            $run = mysqli_query($conn, $result) or die("Connect failed: ". $conn -> error);
            
     header('Location: db_connection.php');
        }
        mysqli_close($conn);
?>

<html>
    <head>
        <meta charset="UTF-8">
        <title>BadStore.net - Sign our Guestbook</title>
    </head>
    <body>
        <?php
  
        ?>
        <td width="615">
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr>
                <td bgcolor="#333333"></td>
            </tr>
        </tbody>
      </table>
      <table cellspacing="0" cellpadding="0" width="614" border="0">
        <tbody>
            <tr bgcolor="#ecece0"></tr>
       
            <tr bgcolor="#333333"></tr>
        </tbody>
      </table>
     
     
            <h1>Sign our Guestbook!</h1>
            <hr><p>Please complete this form to sign our Guestbook.  The email field is not required, but helps us contact you to respond to your feedback.  Thanks!</p><p></p><hr>
   <form method="post" action="index.php">
            <table border="0" cellpadding="10">
        
        <tbody>
            <tr>
                <td>Your Name:</td> <td><input type="text" name="name" size="30" required></td>
            </tr>
            <tr>
                <td>Email:</td> <td><input type="text" name="email" size="40" required></td>
            </tr>
            <tr>
                <td valign="TOP">Comments:</td> 
                <td><textarea name="comments" cols="60" rows="4" required></textarea></td>
            </tr>
        </tbody>
    </table>
        <hr>
        <center><input type="submit" name="submit" value="Add Entry">  <input type="reset"></center></font></td>
        </form>

    </body>
</html>
zoldxk
  • 2,632
  • 1
  • 7
  • 29