EvilZone

Programming and Scripting => Web Oriented Coding => : Code.Illusionist February 08, 2014, 02:02:17 PM

: PHP form validation
: Code.Illusionist February 08, 2014, 02:02:17 PM
Hello there. I was wondering what's wrong with my code because when user process his data, I manipulate that data and prevent possible hacker exploits. BUT, somehow when user enter some javascript or html, the data is not transformed as I wanted to be. Here is code:

: ("php")
<html>
   <body>
      <form method="POST" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>">
         <input type="password" name="pwd">
            <input type="submit" value="Click me">
      </form>
      <?php
         $pass "";
         function test_input($data) {
            $data trim($data);
            $data stripslashes($data);
            $data htmlspecialchars($data);
            return $data;
         }
            if($_SERVER['REQUEST_METHOD'] == "POST") {
               $pass test_input($_POST['pwd']);
               echo $pass;
            }
      ?>
   </body>
</html>So, when the user enter password, it will be changed with 3 functions. However, htmlspecialchars function seems not to work because when I enter: <html> , it's not masked to be &l;thtml&gt; but print out <html> . Why? Where I make mistake?
: Re: PHP form validation
: vezzy February 08, 2014, 03:20:15 PM
Not really sure here, but try passing the encoding parameter as ISO-8859-1? Assuming your PHP version is >=5.4.
: Re: PHP form validation
: Code.Illusionist February 08, 2014, 03:38:54 PM
And how to do that? I am super new to PHP.
: Re: PHP form validation
: vezzy February 08, 2014, 04:55:17 PM
Read the documentation.
: Re: PHP form validation
: Code.Illusionist February 08, 2014, 07:52:55 PM
So I finally get it what you mean, but it doesn't work again. I added this:
: ("php")
$data = htmlspecialchars($data,ENT_COMPAT,'ISO-8859-1',true);I guess that's what you ment and still when I enter <html> that's what I get back.

EDIT: I did some research and realized that this code work. It stops hackers from exploiting it by not letting them use javascripts trough input. =)
: Re: PHP form validation
: feynman February 25, 2014, 05:19:41 AM
If you're seeing "<html>" in the browser, it's because it's interpreting the escaped characters. If you view-source you should see the &lt;html&gt;.
: Re: PHP form validation
: Stackprotector March 04, 2014, 09:50:01 AM
: Code.Illusionist  February 08, 2014, 07:52:55 PM
So I finally get it what you mean, but it doesn't work again. I added this:
: ("php")
$data = htmlspecialchars($data,ENT_COMPAT,'ISO-8859-1',true);I guess that's what you ment and still when I enter <html> that's what I get back.

EDIT: I did some research and realized that this code work. It stops hackers from exploiting it by not letting them use javascripts trough input. =)
lolol.

Anyway the question is been answered. When a tag is encoded you will see it in your browser in text form so you will see <html>. if it's not encoded it is parsed as html.