1
I wanted to know how to protect input from scripted code attacks on input boxes, if someone knew how to do it would help a lot
<form method="POST" action="index.php?page=dados_encomenda">
<input type="text" class="form-control" name= "nome" id="nome" placeholder="Introduza o seu nome" required>
<button type="submit" class="btn btn-primary"><span class="glyphicon">
</span>Encomendar</button>
</form>
2
What you should do is use the htmlentities() at the time of flaunt the result.
This is vulnerable:
// Input:
$Nome = $_POST['nome'];
// Output:
echo $Nome;
This is relatively safe against XSS:
// Input:
$Nome = $_POST['nome'];
// Output:
echo htmlentities($Nome, ENT_QUOTES | ENT_HTML5, 'UTF-8');
The ENT_QUOTES is used for PHP to escape the ' and also the ". Already the ENT_HTML5 and the UTF-8 is used to define the "language" we are "communicating", basically the same principle we have to do when using the mysqli_real_escape_string. To be sure we have control over the character encoding and that it is the same specified by the htmlentities define the same in <meta> and also in the header of Content-Type.
Never save the result of htmlentities, the Wordpress, who publicly says that security is not a priority, has done so in the past. Wordpress failed once and then again failed.
How everything can go wrong...
We still have some resources to prevent the damage of an XSS from being greater, define a cookie for "httpOnly" and "Secure", requires HTTPS, using:
session.cookie_httponly = On
session.cookie_secure = On
Use the header of Content-Security-Policy to prevent uploading external content to the site and define which sites are trusted, for example:
Content-Security-Policy: script-src 'self' https://cdn.example.net https://ajax.googleapis.com https://www.google-analytics.com; child-src 'none'; object-src 'none'; upgrade-insecure-requests
This will prevent anyone from carrying one script of insecure..
Recommended links:
Browser other questions tagged php javascript
You are not signed in. Login or sign up in order to post.