所以基本上有人告诉我我的网站容易受到XSS攻击,所以我正在努力解决这个问题。有人告诉我,htmlspecialchars方法是防止这种情况的好方法。
我做了这个功能
function _e($string){
return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}
我正在使用它,如下面的
$userName = _e($_POST['userName']);
$Pass = _e($_POST['password']);
问题:
1)XSS攻击仅基于输入,还是需要在警报和回应语句上执行此操作?
2)我是否在下面的页面中成功停止了XSS攻击?**
<?php
session_start();
if(isset($_SESSION['user_id'])){
header("Location: index.php");
}
function _e($string){
return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}
include '../includes/connection.php';
$userName = _e($_POST['userName']);
$Pass = _e($_POST['password']);
if(!empty($userName) && !empty($Pass)){
$sql = "SELECT * FROM Admins WHERE Username='$userName'";
$sqlr = mysqli_query($connect,$sql);
$sqlrow = $sqlr->fetch_assoc();
$dbPass = $sqlrow['Password'];
$hash = password_verify($Pass, $dbPass);
if ($hash == 0){
die("There was no password found matching what you have entered.");
}else{
$records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$dbPass' AND AdminLevel >=1";
$results = mysqli_query($connect,$records);
if ($results->num_rows == 1){
$row = $results->fetch_assoc();
$_SESSION['user_id'] = $row['ID'];
$_SESSION['admin_level'] = $row['AdminLevel'];
$_SESSION['user_name'] = $row['Username'];
$easyName = $_SESSION['user_name'];
$recordsS = "UPDATE `Admins` SET Status='1' WHERE Username='$userName'";
$resultsS = mysqli_query($connect,$recordsS);
header("Location: index.php");
}else{
$message = "Either you have entered the incorrect login information, or you account has not been approved yet.";
echo "<script type='text/javascript'>alert('$message');</script>";
}
}
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>ServerSide Moderation Services</title>
<link rel="stylesheet" href="../styles/mainStyles.css" type="text/css" />
<link rel="stylesheet" href="../styles/loginFormStyle.css" type="text/css" />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
</head>
<body class="body">
<?php include '../includes/header.php'; ?>
<div class="mainContent">
<div class="logRegArea">
<article class="leftContent">
<header>
<h2 class="loginArea" style="text-align:center">Login Below:</h2>
</header>
<content>
<div id="login">
<form action="../pages/login.php" method="POST">
<input type="text" placeholder="Enter Your Username" name="userName">
<input type="password" placeholder="Enter Your Password" name="password">
<input type="submit">
</form>
</div>
</content>
</article>
</div>
</div>
<footer class="mainFooter">
<p>This website was developed by ROBLOX user: <a href="https://www.roblox.com/users/8869935/profile" title="Made by: wattleman">wattleman</a></p>
</footer>
</body>
</html>
答案 0 :(得分:1)
直接回答你的两个问题:
1)如果您的消息包含来自代码以外的任何来源的数据,请对其进行清理。信任没有。
2)有点。但是,我无法在任何地方看到您的数据输出。
这里有两件事你需要考虑。
1)通过在插入数据库之前将htmlspecialchars应用于用户提供的数据,您已经修复了XSS的大部分问题。但是,通常最好在回显到页面时插入数据&#34; raw&#34;和应用htmlspecialchars。这是因为转换html实体对生成HTML有意义,但没有别的。如果您需要运行搜索,创建导出等,您可能会发现自己需要再次将这些实体转换回来。
2)您对SQL注入攻击持开放态度。 htmlspecialchars提供零保护。您需要使用mysqli_real_escape_string或参数化查询。有关here的更多信息。