To demonstrate XSS attack, I am building a web app which does the following:
- Works like a forum
- Takes posts from users via a HTML textarea and store these messages in the mysql db
- Displays all posts from the users on a thread. The objective is to show an XSS attack such as
alert("attack");
due to insufficient filtering of the input.
I am using a MySql db with Apache and PHP.
On entering the following input into the textarea:
<script>alert("attack");</script>
The data is just not being added to the DB and the $_POST method in开发者_运维百科 the page which stores the posts into the database is returning an empty string. However, all other cases are working. I have so far not used any special functions used for input filtering in PHP, as this is an app to demonstrate XSS.
However, on manually adding the above script into the DB, the expected alert box pops up.
Anyone knows what's going on?
Do you escape the input data with mysql_real_escape_string or similar? If you don't your quotes will probably mess with the generated SQL query.
精彩评论