Reputation: 2503
PHP - Form protection examples
Is there a list of example attacks that can be used to test a PHP form?
In particular it is for a forum, which is using a parser to parse bbcode and doesn't accept HTML directly.
At the moment it runs through codeigniters xss_clean function as well as htmlspecialchars.
If it makes any different it runs htmlspecialchars_decode() when putting the data back into an input or textarea for editing, but not when displaying normally.
There are some areas I don't fully understand (not ever having tried to hack a website) such as someone posting an image which runs through a script or adding additional lines of javascript to an image. So I'm mainly looking for examples that I can put into my form to test if it handles it.
I should note that I have avoided using strip_tags as it messes up in various instances such as:
If I type X < Y then it will strip everything after the X
Upvotes: 0
Views: 490
Answers (2)
Reputation: 1127
I would recommend using CodeIgniter's html_escape function instead of htmlspecialchars. Not only can you come back and add security to all your output from one centralized place since it's a function, but it also sanitizes arrays.
Also check this out. Link is working, the server just seems to be down for the moment. Here is the 'short' version.
Upvotes: 0
Reputation: 2503
I can't accept it as the answer since it was a comment but @ComFreek gave a really useful link just put these into your forms to check for errors.
Lots of them are only found in older browsers though particularly old versions of IE
Upvotes: 2
Related Questions
- Best practice when sanitizing HTML form user input in PHP / CodeIgniter 4
- Codeigniter XSS protection
- Sanitizing form data in PHP
- how sanitize input codeigniter 3?
- Proper Form Input Sanitation
- Codeigniter xss vulnerabilities and other problems with security
- Where to sanitize PHP $_POST[] input?
- Codeigniter form validation security
- PHP sanitisation for user input
- Codeigniter output and input security