Demonstrating prevention of attacks with PHPrevent
From Dependability
PHP Injection
SQL Injection
Cross-Site Scripting
Cross-site scripting attacks can occur when user provided data are displayed on a web-page without verifying the data are safe. The user can then include dangerous HTML elements, such as javascript, on the webpage that will run with the privileges of the hosting site.
Therefore, the simple way to demonstrate that PHPrevent prevents cross-site scripting attacks is by having a form where a user can supply data, then output that data on a webpage. With PHPrevent, the user provided data are checked to ensure they do not contain any dangerous elements.
Form page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<title>Simple Form</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body>
<form action="formpost.php" method="POST">
<p>Please enter a comment:<br>
<input type="text" name="inputData">
<input type="submit" name="Submit">
</form>
</body>
</html>
From process page:
<?
/* Use the tidy output buffer to prevent cross site scripting attacks */
ob_start("ob_tidyhandler");
print <<<END
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang = "en">
<head>
<title>Submitted Form</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body>
<p>
This is the form you entered:<br>
END;
$inputData = $_POST['inputData'];
$myInputData = "<script> boo </script>";
print $inputData;
print "<br>\n";
print <<<END
</p>
</body>
</html>
END;
?>