Change in homepage by submit value by hackers how to prevent this?

StackOverflow https://stackoverflow.com/questions/23611875

  •  20-07-2023
  •  | 
  •  

Question

I am trying to make one website for my school and i just started from basic to test
security of our website and it was observed that while getting this output from there
code if we put Name: ../ and Information : (any html code) then it changes that page
into that html code which was injected. Is there any solution how i can prevent this problem so that i have much higher security.HTML code is 

<html>
<head>
<title>Submit your form</title>
</head>
<body bgcolor="Black" text="#FFFFFF" link="#FFF833" vlink="#FFF833">
<center><table width=600 cellspacing=0 cellpadding=0 align="center"><tr><td>
<font face="verdana" size=2><b>Use this form to submit your information to the website.<br /><Br>Note:Information will be stored online immediately but will not be listed on the main page until it has a chance to be looked at.<br /><br />
<form action="submit.php" method="post">Name:<br />
<input type="text" name="name">
<br /><br />Information<br /><textarea rows=15 cols=40 name="text"></textarea>
<br /><br /><input type="submit" value="add text"></form></font>
</b></td></tr></table>
</center>
</body>
</html>
Was it helpful?

Solution

As I have stated twice, it depends entirely on how you're saving this user input... wait, that's three times now XD

I'm going to guess your code is:

file_put_contents("submissions/".$_POST['name']."/index.html", $_POST['text']);

But if $_POST['name'] is ../ then you are saving their submission to submissions/..//index.html... in other words you are overwriting the homepage of the site! And by allowing $_POST['text'] to be dumped in there with no safety just lets anyone do what they want.

Instead, you should be saving these submissions to a database, referencing them by an ID number, and using something like htmlspecialchars to prevent input HTML from being processed.

OTHER TIPS

you need to add some filters with your each field for the input because if you are not doing this then the chances of XSS (corss-site scripting) increases so whether you are taking input from user for suppose usernamd , password , email-ids etc always check is fields must cot contain html tag specially the JAVA SCRIPT tag. If you allowed JAVA script tag with the input it will case session hijacking so please check all thing before lunch on final domain and host . GOOD LUCK

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top