Before we dig into XSS, let's know some basic variable and function using though which this exploit can happen. 

$_SERVER["PHP_SELF"]

  • It's a super global variable
  • It returns the filename of the script which we are executing right now.
  • We use this to get the data on the same page rather than redirecting user to another page. For example, comments on a blog post

The $_SERVER["PHP_SELF"] in a statement looks like this:


<form method="post" action="$_SERVER["PHP_SELF"]">

Now hackers can easily use that $_SERVER["PHP_SELF"] against you. They can enter "/" and then some Cross Site Scripting (XSS) codes to execute. Let's see how that works.

Let's say out current script is "example.php" so after executing the statement above, the final statement will look like the following when user clicks on submit button:


<form method="post" action="example.php">

Now if any hackers changes the address bar and enters the following code then it'll mess up your web page.


http://www.domain.com/example.php/%22%3E%3Cscript%3Ealert('you have virus inside your computer')%3C/script%3E

So, when that hacker enters the URL it ill be converted to the following because of $_SERVER["PHP_SELF"]:


<form method="post" action="example.php/"><script>alert('you have virus inside your computer')</script>

So, that is going to add the script tag and run whatever is inside that tag. So, when the whole page and script loads, the JavaScript code will be executed and user will see the alert about virus on PC. (Familiar with those kinds of alerts?!)

That's really a basic kind of JavaScript code example which can be added to the PHP form and in many cases hackers will try to redirect user to a different file on different server and at the end the user might get an actual virus on his/her computer!

So, can we avoid this $_SERVER["PHP_SELF"] vulnerability or exploits?

I have a good news. YES WE CAN!

PHP has a function called htmlspecialchars() and we can use that to avoid this exploit. 

After adding htmlspecialchars() in form, it will look like this.


<form method="post" action="htmlspecialchars($_SERVER["PHP_SELF"])">

What does the htmlspecialchars() function do?

  • It converts the special characters in to HTML entities.
  • For example, if there is a " (quote) in your form, it will convert it to &#34; or &quot;
  • So, even if a hacker tries to enter the script tag, it won't work

That hacker code will become as follows after including the htmlspecialchars() function.


<form method="post" action="test_form.php/&quot;&gt;&lt;script&gt;alert('you have virus inside your computer')&lt;/script&gt;">

So, the whole hacking attack is going to fail and your valuable customers or users won't have nay problem while submitting data on your website.

19 Comments

Brinquedos Portugal

Nov 19, 2020 06:11:29 am

I enjoy what you guys are usually up too. This type of clever wordk and exposure! Keep up thhe very good works guys I've added you guys to blogroll.

need for speed games

Nov 18, 2020 04:11:35 am

Hi, nice post ! I've shared it with users on my website, and they really liked it! Have a good day.

เสื้อลูกไม้

Nov 17, 2020 07:11:58 am

If you are going for best contents like I do, just pay a visit this site every day because it offers feature contents, thanks

Caitlyn

Nov 16, 2020 03:11:13 pm

It's great that you are getting thoughts from this article as well as from our argument made here.

Grim

May 30, 2020 04:05:36 pm

Hey there this is somewhat of off topic but I was wanting to know if blogs use WYSIWYG editors or if you have to manually code with HTML. I'm starting a blog soon but have no coding know-how so I wanted to get advice from someone with experience. Any help would be enormously appreciated!

Omigo

May 29, 2020 11:05:16 pm

An impressive share! I'vе јust forwarded tһis οnto a colleague ᴡho hɑd been conducting a little homework on thiѕ. Ꭺnd he actually orderеd mе lunch duе to tһe fact that I discovered it f᧐r him... lol. So ⅼet me reword tһіs.... Thank YОU fοr the meal!! Bսt yeah, thаnks foг spending tіme tߋ talk about this issue һere on ʏoսr blog.

Hakumk

May 11, 2020 05:05:26 pm

I am genuinely delighted to glance at this blog posts which consists of plenty of useful information, thanks for providing such statistics.

Julia

May 08, 2020 03:05:54 pm

It is truly a nice and helpful piece of information. I am happy that you shared this useful info with us. Please stay us informed like this. Thanks for sharing.

Same old

May 05, 2020 05:05:51 am

I have been browsing on-line more than three hours nowadays, but I never discovered any fascinating article like yours. It's beautiful value sufficient for me. In my opinion, if all website owners and bloggers made just right content as you probably did, the web can be much more useful than ever before.

Nick

May 01, 2020 01:05:32 am

Hі! This is kind of off topic but I neeɗ some help fгom ɑn established blog. Ιs іt difficult t᧐ set up yoᥙr own blog? I'm not very techincal ƅut I can figure things oᥙt pretty faѕt. I'm thinking abօut creating my οwn but I'm not sᥙre wһere to start. Ⅾo yοu have any ideas or suggestions? Tһank you

Lilian

Apr 28, 2020 02:04:45 pm

Heey very nice site!! Man .. Excellent .. Wonderful .. I'll bookmark your website and take thee feeds also? I am happy to search out so many helpful info right here in the put up, we ned develop extra techniques onn this regard, thanks for sharing. . . . . .

Bush

Apr 28, 2020 01:04:57 pm

I blog quite often and I really tһank you fօr үⲟur information. This article һas rеally peaked my іnterest. І am gοing to book mark your site and kеep checking fߋr new infoгmation aЬ᧐ut ⲟnce a week. I subscribed to yoᥙr Feed аs weⅼl.

Sheldon

Apr 28, 2020 12:04:04 am

Greetings! I've been reading your site for some time now and finally got the bravery to go ahead and give you a shout out from Atascocita Texas! Just wanted to tell you keep up the good work!

Maya

Apr 27, 2020 10:04:30 pm

Hey are using Wordpress for your site platform? I'm new to the blog world but I'm trying to get started and create my own. Do you require any coding knowledge to make your own blog? Any help would be greatly appreciated!

Wallace

Apr 27, 2020 04:04:36 pm

I love everything about this article!! Photography, Creation & Production! Amazing work well done!

Jikin O

Apr 25, 2020 09:04:21 pm

Now I am ready tо ⅾo my breakfast, oonce һaving my breakfast cοming yet again to гead more news.

Judy

Apr 23, 2020 07:04:43 pm

I've been surfing on-line more than 3 hours as of late, but I by no means discovered any fascinating article like yours. It's beautiful value enough for me. In my opinion, if all website owners and bloggers made excellent content as you did, the web can be much more useful than ever before.

online

Mar 13, 2020 07:03:39 pm

Hi thеre, I discovered your ite νia Google eᴠen aas lookig ffoг a comⲣarable topic, your website came up, it seems tto be good. I've bookmɑrked it in my google bookmarks. Hello there, simply wаs aware оf your weblog thrս Google, and located that it's really informative. I am gonna watch out for brussels. I will ɑppreciate if you continue this in future. Lots of other folks will proƅably be benefitеd from уour writing. Cheers!

Jim

Feb 03, 2020 07:02:22 am

why think about xss.... just chill man...

Leave a reply

Your email address will not be published. required fields are marked *