You need to sanitise your GET variables.
e.g.
http://denby.ukhost-group.co.uk/room.php?one="><img src=http://x.org/X.jpg width="
Where X is Lemonparty, Goatse etc. - take your pic.
dnt no what you mean?
anyroad i got it working fine now
thanks
php help
- Thread starter denby
- Start date
dnt no what you mean?
anyroad i got it working fine now
thanks
I'm saying your script is vulnerable, secure it.
You can sanitise (clean the incoming data; htmlspecialchars() or htmlentities() will do the trick) or validate the input (make sure the incoming data is how you expect it to be; i.e. sure that the <param> attributes are valid).
You can sanitise (clean the incoming data; htmlspecialchars() or htmlentities() will do the trick) or validate the input (make sure the incoming data is how you expect it to be; i.e. sure that the <param> attributes are valid).
argh found a problem
im using this php to send params to an activex control
its a basic chat.ocx
but when i use links like this
index.php?server=gggg
it only printf's the param names and overrides the html from showing/loading..
when i run plain index.php the chat works but has no params.
code
any idea how to make it printf the php part and write the html as well?
http://denby.ukhost-group.co.uk/index3.php?Server=irc.amcool.net
cheers
im using this php to send params to an activex control
its a basic chat.ocx
but when i use links like this
index.php?server=gggg
it only printf's the param names and overrides the html from showing/loading..
when i run plain index.php the chat works but has no params.
code
Code:
<html>
</object>
<OBJECT ID="ChatFrame"
CLASSID="CLSID:982E01D9-0386-441C-B151-83035135A918"
CODEBASE="CHAT.ocx">
foreach ($_GET as $param => $value) {
printf('<PARAM NAME="%s" value="%s">%s',$param,$value,"\n");
}
</OBJECT>
</BODY>
</HTML>
<html>any idea how to make it printf the php part and write the html as well?
http://denby.ukhost-group.co.uk/index3.php?Server=irc.amcool.net
cheers
Last edited:
hmm, I never can get the hang of using that straight off the bat!
I thought of a better way anyway:
PHP:foreach ($_GET as $param => $value) { printf('<param name="%s" value="%s" />',$param,$value); }
ugh why would you do this
in that case....
Code:
echo '<param name="one" value="'.$_GET['one'].'" />';
echo '<param name="two" value="'.$_GET['two'].'" />';and so on....
edit: can't be bothered
Last edited:
I shall justify, but in a less rude way as I did before, because rob's comment was just totally unnecessary, in my opinion.
what I did works, which was what the OP asked for. When I started out, I wanted people to explain things like this to me in a simple way because anything more than that can be quite overwhelming. I, maybe incorrectly, assumed that the OP is just starting out with PHP, and didn't want to confuse him with htmlspecialchars and the like, because they weren't related to what he was trying to do.
So, you're right - in the grand scheme of things, it wasn't a good job - but when do you see tutorials for this sort of thing using htmlspecialchars? You don't - for the very same reason that I didn't.
psyreen was correct (I never disputed this), you do need to make-safe the data because a lot of harmful things can be run from $_GET, so please don't use solely what I posted if it's actually going online
however, I'd do this:
PHP:
foreach ($_GET as $param => $value) {
printf('<param name="%s" value="%s" />',htmlspecialchars($param),htmlspecialchars($value));
}if that's still very insecure - for my edification I would appreciate the feedback, but I'd never do anymore than that in a real-world example. obviously, you could create a blocklist - but that would add complexity to the situation that the OP doesn't seem to be after at this stage
Excuse me while I lodge a bullet in my brain. *sigh*