PHP Anti-XSS attack

anti- XSS attack What is XSS attack

code example:

<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8 "/>

<TITLE>XSS principle Reproduction </title>

<body>

<form action= "" method= "get" >

<input type= "text" name= "Xss_input" >

<input type= "Submit" >

</form>

<?php

$XSS = $_get[' xss_input ');

Echo ' The character you entered is <br> '. $xss;

Echo ' The character you typed is <br> '. <script>alert (' XSS ') </script> ";

?>

</body>

Note: If you want the form to submit data to your page,the action is set to empty

If we enter "<script>alert (' XSS ') </script>" in the form, theresult we receive is

Echo ' The character you typed is <br> '. <script>alert (' XSS ') </script> ";

so it pops up the alert box, which is equivalent to modifying the program. In addition to these, it can also create other troubles, refresh or redirect, damage pages or forms, steal cookies,AJAX (XMLHttpRequest).

Note: Some browsers themselves can recognize a simple XSS attack string, which prevents simple XSS attacks, such as chrom, when I was doing experiments in Chrom, will be automatically blocked, but the cheetah will not be browsing the browser.

The full name of the XSS(crosssite Scripting) attack is an inter-site scripting attack in which a malicious attacker embeds a malicious script in a Web page . When the user opens the webpage the script executes, steals the customer's cookie and the user name and the password, downloads executes the virus and the Trojan horse program, even obtains the client the admin permission and so on.

Prevent XSS attacks

Fundamentally, the solution is to eliminate the site's XSS vulnerability, which requires web site developers to use escaped security characters and other means, always put security at heart.

The simple point is to filter the data submitted from the form, using the PHP filter function can achieve a good purpose.

Htmlspecialchars () function

code example:

<?php

if (isset ($_post[' name ')) {

$str = Trim ($_post[' name '); Clean up spaces

$str = Strip_tags ($STR); filter HTML tags

$str = Htmlspecialchars ($STR); Convert character content to HTML entities

$str = Addslashes ($STR); prevent SQL injection

Echo $str;

}

?>

<form method= "POST" action= "" >

<input name= "name" type= "Text" >

<input type= "Submit" value= " submission " >

</form>

The Htmlspecialchars () function is equivalent to the function of single quotes, does not explain what you enter, and is similar to anti- SQL injection.

function Description: http://www.runoob.com/php/func-string-htmlspecialchars.html

PHP Anti-XSS attack