I am accepting user text in a form and echoing it back on the page (the code goes to the database as well but that is prepared queries so no worries there). I wanted to know if there are any possible security implications that can be caused by it? On the server side I mean, i know on the client side you can break but can you reach server side?
I need to know if something like eval c开发者_如何学JAVAan be possibly done with this case.
The scenario you explained is called XSS. It is possible to compromise your server with the help of an XSS vulnerability, but it does need other things to fall in place.
Say you have an administrator account that has permissions to make configuration changes to your server over the web. Now, if an attacker creates a XSS link and somehow gets the administrator to click it, his account would be compromised.
Once the attacker has administrator access, he can systematically take control of the entire system. This happened recently with Apache - read their article on it. It is the best write-up on a security incident I have ever seen, you will learn a lot from it.
use htmlspecialchars($yourstring) in php, or strip characters, no need to open possibilities for exploits.
If you use the user input directly to query an SQL database, you can be subjected to SQL injections. Just google it for examples.
EDIT: Oh, I missed the text saying that you just echo the text. Hm, well, maybe the user can issue PHP commands if you evaluate the user input. But I don't know why you should do that because then the user could issue any PHP commands to the server (which is a clear security risk)...
Use:
echo htmlentities($string);
Everywhere. Unless you want to open your application to dozens of possible attacks:
http://ha.ckers.org/xss.html
If you need to echo a HTML markup:
1) Use HTMLPurifier on the HTML before saving it to the database.
2) I recommend to use XHTML STRICT filtering.
3) Disallow tags like scripts, frame, attributes like onclick etc. The list of tags and attributes users entering HTML should never need is quite long. Just restrict them to what they might need, e.g.: p, ol, ul, h1, h2, h3, dl, abbr, img (these can be dangerous, many possible attacks through img tag, be careful), a (detto), table, maybe few more.
精彩评论