nootkan Posted August 21, 2014 Share Posted August 21, 2014 On page 100 it states that three functions can be used to beef up security in a php script. htmlspecialchars(), htmlentities() and strip_tags(). My question is: Should I be using strip_tags() in all my scripts to prevent cxs attacks? For example, as part of the pursue task in chapter 4, I created a simple form weight calculation script that I used on one of my websites to determine the weight of a fish based on the length x girth / 775. Although the text box sizes in the form are only "5" can someone still do a cxs attack using the simple form? Here is what I placed inside my php processing file based on the strip_tags() exercise. The processor file works fine returning the proper result. Is this right and will it help to prevent a cxs attack? /* Get the values from the $_POST array */ $length = $_POST['length']; $girth = $_POST['girth']; /* Calculate the total */ $total = (($girth*$girth)*$length /775); /* round out the weight */ $total = number_format($total, 2); /* adjust for html tags */ $strip_length = strip_tags($_POST['length']); $strip_girth = strip_tags($_POST['girth']); Link to comment Share on other sites More sharing options...
Antonio Conte Posted August 22, 2014 Share Posted August 22, 2014 No script is too simple if you display output from users. I can make my own form and set your URL as the action. Therefor, no input should ever be trusted. As this is number based, I would instead look at something like intval(). As much as you need to think security, you also need to assure input type here. Because if that, you'll often want to parse and check input before you work with it. Your main problem here is that you assume your users will only input numbers. Try using text and see the result then. Your script will give error messages and not work as intended. 2 Link to comment Share on other sites More sharing options...
HartleySan Posted August 22, 2014 Share Posted August 22, 2014 Antonio is right in that it is very trivial for someone to submit to your PHP script from anywhere any which way. As such, you have to assume that any text can come in any way, and you need to guard against that accordingly. If you are expecting a number, simply typecasting the submitted value as an integer or float with (int) or (float) accordingly should be more than sufficient. However, if you are expecting text and you are going to display that text back to users in one form or another, then you should absolutely use htmlspecialchars or whatever. As a side note, because numbers are much easier to validate and less subject to funny business, I try to make as many things number inputs as possible. Link to comment Share on other sites More sharing options...
nootkan Posted August 22, 2014 Author Share Posted August 22, 2014 Wow, okay I'll remove it from my server until I understand a little more about security as I don't quite understand everything both of you are trying to tell me. I'm guessing once I get through the book I'll have a better understanding and know what variables to use. Thanks for your replies. Link to comment Share on other sites More sharing options...
Recommended Posts