Form stores data in mysql database - XSS vulnerability

Question

I have a form with one textarea field. The field is set to accept anything and stores the input in the database when submitted. The code is then made public as a url ex: domain.com/asd. I'm not doing any type of strip_tags, htmlentities or any type of xss prevention.

My Question is, what harm can this possibly cause. Can a user do any type of xss to fetch information from the database during either input or output.

Answer 1

When you accept input from the user you should at least:

• for database use PDO to prevent SQL-injections.
• use filter to prevent XSS

Otherwise your code is going to be unsafe as hell.

I would recommend you to read OWASP to know more about a lot of vulnerabilities. Especially the page OWASP top 10 is a must read.

Answer 2

XSS does not make any attacks possible against your server which would not be possible without XSS. What XSS does is to enable an unauthorized user to act as an authorized user. If you don't have user authentication on your site, XSS is usually not a threat.

Answer 3

You might be in serious threat of stored xss attacks, Stored cross site scripting :

A Stored Cross Site Scripting vulnerability occurs when the malicious user can store some attack which will be called at a later time upon some other unknowing user. The attack is actually stored in some method to be later executed.

So, if the malicious code is in the text area and you store it. At a later point of time when you display the data stored in the db, its like you are executing the code right. Apart from this, there are a lot other ways to play with your database whenever you use the data from the textarea in your SQL query.