Pages: [1]

Author Topic: PHP form validation  (Read 1373 times)

0 Members and 1 Guest are viewing this topic.

Offline Code.Illusionist

  • Royal Highness
  • ****
  • Posts: 687
  • Cookies: 39
  • Compile or die trying
    • View Profile
PHP form validation
« on: February 08, 2014, 02:02:17 pm »
Hello there. I was wondering what's wrong with my code because when user process his data, I manipulate that data and prevent possible hacker exploits. BUT, somehow when user enter some javascript or html, the data is not transformed as I wanted to be. Here is code:

Code: ("php") [Select]
<html>
   <body>
      <form method="POST" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>">
         <input type="password" name="pwd">
            <input type="submit" value="Click me">
      </form>
      <?php
         $pass "";
         function test_input($data) {
            $data trim($data);
            $data stripslashes($data);
            $data htmlspecialchars($data);
            return $data;
         }
            if($_SERVER['REQUEST_METHOD'] == "POST") {
               $pass test_input($_POST['pwd']);
               echo $pass;
            }
      ?>
   </body>
</html>So, when the user enter password, it will be changed with 3 functions. However, htmlspecialchars function seems not to work because when I enter: <html> , it's not masked to be &l;thtml&gt; but print out <html> . Why? Where I make mistake?
« Last Edit: February 08, 2014, 02:08:29 pm by Code.Illusionist »
Report to moderator   Logged
Vae Victis - suffering to the conquered

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: PHP form validation
« Reply #1 on: February 08, 2014, 03:20:15 pm »
Not really sure here, but try passing the encoding parameter as ISO-8859-1? Assuming your PHP version is >=5.4.
Report to moderator   Logged
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline Code.Illusionist

  • Royal Highness
  • ****
  • Posts: 687
  • Cookies: 39
  • Compile or die trying
    • View Profile
Re: PHP form validation
« Reply #2 on: February 08, 2014, 03:38:54 pm »
And how to do that? I am super new to PHP.
Report to moderator   Logged
Vae Victis - suffering to the conquered

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: PHP form validation
« Reply #3 on: February 08, 2014, 04:55:17 pm »
Read the documentation.
Report to moderator   Logged
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline Code.Illusionist

  • Royal Highness
  • ****
  • Posts: 687
  • Cookies: 39
  • Compile or die trying
    • View Profile
Re: PHP form validation
« Reply #4 on: February 08, 2014, 07:52:55 pm »
So I finally get it what you mean, but it doesn't work again. I added this:
Code: ("php") [Select]
$data = htmlspecialchars($data,ENT_COMPAT,'ISO-8859-1',true);I guess that's what you ment and still when I enter <html> that's what I get back.

EDIT: I did some research and realized that this code work. It stops hackers from exploiting it by not letting them use javascripts trough input. =)
« Last Edit: February 09, 2014, 02:26:54 pm by Code.Illusionist »
Report to moderator   Logged
Vae Victis - suffering to the conquered

Offline feynman

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: PHP form validation
« Reply #5 on: February 25, 2014, 05:19:41 am »
If you're seeing "<html>" in the browser, it's because it's interpreting the escaped characters. If you view-source you should see the &lt;html&gt;.
Report to moderator   Logged

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: PHP form validation
« Reply #6 on: March 04, 2014, 09:50:01 am »
Quote from: Code.Illusionist on February 08, 2014, 07:52:55 pm
So I finally get it what you mean, but it doesn't work again. I added this:
Code: ("php") [Select]
$data = htmlspecialchars($data,ENT_COMPAT,'ISO-8859-1',true);I guess that's what you ment and still when I enter <html> that's what I get back.

EDIT: I did some research and realized that this code work. It stops hackers from exploiting it by not letting them use javascripts trough input. =)
lolol.

Anyway the question is been answered. When a tag is encoded you will see it in your browser in text form so you will see <html>. if it's not encoded it is parsed as html.
Report to moderator   Logged
~Factionwars
Pages: [1]