Jump to content
Larry Ullman's Book Forums

Recommended Posts

On page 100 it states that three functions can be used to beef up security in a php script. htmlspecialchars(), htmlentities() and strip_tags(). 


My question is: Should I be using strip_tags() in all my scripts to prevent cxs attacks?  For example, as part of the pursue task in chapter 4, I created a simple form weight calculation script that I used on one of my websites to determine the weight of a fish based on the length x girth / 775.  Although the text box sizes in the form are only "5" can someone still do a cxs attack using the simple form?  Here is what I placed inside my php processing file based on the strip_tags() exercise.  The processor file works fine returning the proper result.  Is this right and will it help to prevent a cxs attack?

/* Get the values from the $_POST array */
$length = $_POST['length'];
$girth = $_POST['girth'];

/* Calculate the total */
$total = (($girth*$girth)*$length /775);

/* round out the weight */
$total = number_format($total, 2);

/* adjust for html tags */
$strip_length = strip_tags($_POST['length']);
$strip_girth = strip_tags($_POST['girth']);
Link to post
Share on other sites

No script is too simple if you display output from users. I can make my own form and set your URL as the action. Therefor, no input should ever be trusted.


As this is number based, I would instead look at something like intval(). As much as you need to think security, you also need to assure input type here. Because if that, you'll often want to parse and check input before you work with it.


Your main problem here is that you assume your users will only input numbers. Try using text and see the result then. Your script will give error messages and not work as intended.

  • Upvote 2
Link to post
Share on other sites

Antonio is right in that it is very trivial for someone to submit to your PHP script from anywhere any which way. As such, you have to assume that any text can come in any way, and you need to guard against that accordingly.


If you are expecting a number, simply typecasting the submitted value as an integer or float with (int) or (float) accordingly should be more than sufficient.

However, if you are expecting text and you are going to display that text back to users in one form or another, then you should absolutely use htmlspecialchars or whatever.


As a side note, because numbers are much easier to validate and less subject to funny business, I try to make as many things number inputs as possible.

Link to post
Share on other sites

Wow, okay I'll remove it from my server until I understand a little more about security as I don't quite understand everything both of you are trying to tell me.  I'm guessing once I get through the book I'll have a better understanding and know what variables to use.  Thanks for your replies.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...