Pitch your project

Random text


By admin Category Uncategorized, Posted March 18th, 2016
Cross-site Scripting attacks in PHP

Also known as xss, is basically a type of code injection attack which results due to failure data validation, which usually gets inserted into the page through a web form or using an altered hyperlink. The code injected can be any malicious client-side code, such as JavaScript, VBScript, HTML, CSS, Flash,
and others. The code is used to save harmful data on the server or perform a malicious action within the user’s browser.

Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. By reading the below article, you will be able to prevent this unfortunate scenario in your code.

Understanding xss

Suppose we have the following post HTML script

<form action="submit.php" method="post">
 <input type="text" name="codepamoja" value=""/>
 <input type="submit" name="submit" value="Submit"/>

On processing the request on submit.php the input value will be received like this;

 < ?php  echo $_POST["codepamoja"]; ?>

From the script above, its clearly visible that filtering of the submitted data is not done by checking for any html script. A hacker may embed the below script in as input to be submitted into the database and generates a JavaScript popup with the message You have been hacked codepamoja;

<script>alert("You have been hacked codepamoja")</script>

Handling xss attacks by preventing one in the first place

In order to make your application more secure, you should make sure you perform data validation,data sanitization and output escaping.

Data validation

This is achieved by ensuring that the data being submitted is of a certain intended type. For example, if one expects a name, you only allow Strings and not Integers.The below script filters an input to only names by ensuring the name starts in capital letters.

< ?php
// validate name that Must start with capital letter
if (preg_match("^/[A-Za-z]+/", $name)) {
    echo $name . " is in a valid format.";

We use the built-in preg_match() function along with two parameters, which is the pattern to match, in our case, at least one capital or lowercase letter, followed by the name of our form field we want to check against, in our case, name.

Data Sanitization

Data Sanitization focuses on manipulating the data to make sure it is safe by removing any unwanted bits from the data and normalizing it to the correct form.

For example; If you need to remove any HTML tags from submitted input;

< ?php
// sanitize HTML from the name. It wont make sense for a name to have HTML tags.
$name = strip_tags($_POST["name"]);

Output Escaping

This involves preventing the browser from applying any unintended meaning to any special sequence of characters that may be found from data that is intended for display to end user from the database. We mostly use htmlspecialchars function to do this as the example below;

// escape output sent to the browser
echo "You searched for: " . htmlspecialchars($_GET["query"]);


From the article above, when applied , your system will be proof to all malicious JavaScript hackers who use the input gateway to hacking either to steal data or just to create bugs in your application. I hope this article was of use to all developers as all the methods above can be applied,not necessarily constricted to php but other languages as well.

Happy Coding!

Posted by Evingtone Ngoa

Leave a Reply

Your email address will not be published. Required fields are marked *