Php Xss Protection

So I am trying to build some of the applications using php and came across my code as being exposed to the XSS. I learned mostly the security advice like don't use this and that. But none of them were quite clear about the XSS related suggestion. So I am quite confused now where to ask for the advice. I tried stackoverlfow but very general level of help and mostly snarky and sarcastic remarks and less guidance towards to the solutions.

Where to look for the XSS related advice and solutions related to PHP? I am looking for some of the code snippet that can show me what is wrong and what can be done about the PHP XSS.

Hey Starscream

Good to see you here again mate

Off topic, Stackoverflow lately seems to have 2 types of people in masses, the idiots & the entitled... I tried getting help only to be shunned by the "smart" people there... Don't get me wrong, some have been really helpful but mostly, if you pose a L1 question, you might get shafted >_>

Coming to your question... I am probably going to be useless since I don't know what you are working with.. But I hope you have already referred to the guide given here :-

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

http://forums.xisto.com/no_longer_exists/

http://joshduck.com/blog/2008/04/05/securing-your-php-code-xss/

If these are rehashed links, please ignore.. You could add more to this topic by sharing what you know about XSS

XSS Attacks - Your Site may get hacked anytime! But, Don't Worry.. Most of the hackers are stupid... who blindly copy some instruction on some forum or mailed by some friend. a Lot of cases, We read are usually automated programs hacking different computers. I have left Pretty INSECURE CODE flying on the Web and checked the logs 2-3 years later, to find out -- not a single soul was interested in my Security HOLE. I m sure, Even you could had Hacked my Site - If you were that Borreddd n joblesss.

Well - Most of the hacking - I believe is Pretty Automated. The Hacker just wakes up to see the sites his script could infect over night and enjoys his cup of tea in the morning - checking the nice report. Now, You may Wonder why Some guys do not like to Read NewsPaper in the morning.

Why XSS - Some anti-virus guys found it Cool to name it XSS. Whats the logic behind - CROSS SITE SCRIPTING??

Its just "HACKING" an online Website. Either for 1 person information - OR - Many Peoples Database - OR - the Server Resources.

Here, is a Pictorial Representation I copied from another site that may help ...

If you think - How can a Website be Hacked ?? -- as a PHP/Asp or any Web Programmar, Knowing the Answer to this Question can prevent you from a lot of Trouble. Before I begin... I would like to say that a Hacker might not be interested in your Website .. but may be his intentions are simply to hijack your Webserver and exploit the Resources or Even use it as a Base for a Wider Attack. Ultimately, Your Server is also a Computer and hackers love computers - especially Computers with a Rocking Internet Connection.

So, a Loop Hole is what makes Hacking Possible. NOT NECESSARILY, It has to be a BUG in a software.

an Example would be - Carefully Studying the Default Configuration of PHP or APACHE (or many other softwares)

Some Values in the Default Configuration may prove really Helpful to hackers (AS THEY were probably ment for Development).

Some Attacks use the general Ignorance of Fresh Coders who are a little lazy or lack the knowledge about Securing your Variables.

Every program has an input and an Ouput.

As a Coder, You must DOUBT the values / variables that come into the code/program from the user or outside world. Most of the Variables can be Modified (eg. the HTTP referrer tag - google it to find out how it can be spoofed) Now there is no level to which you may wanna go Secure and Write those extra lines of Code to check your Data at every check-point. Well, IF Your Program hits Popularity and Half the World is using it.... Please be assured, Some jerk will take that extra effort to easily break in through your code (assuming - you have given the code to the world as open-source) - Like you Guessed, Open Source is like offering the Blue Print of your Fort to someone. It would be Ok to Say - most open source software after years of testing are Pretty Bug Free and Hacker Safe. But using Open Source is more In-Secure as He welcomes the Risk of Massive Automated attacks - Programs that were made to break your Great Open Source code!

Hence, Preventing XSS attacks is possible if you have a Good Knowledge / Experience of not only PHP but also the Server Software running PHP (eg. apache, nginx etc..)

The No. of Situations in which PHP can be abused are many many many..... Learning Each and Every Trick is Important to Secure your Code. If you find SUCH pages Googling.. Please Share! The Objective of this Topic should be to help readers with all "Common" mistakes of coding.

Anyway - Summarizing, XSS is plain hacking of websites for sensitive data. But XSS sounds very lame to me - may be because it rhymes with CSS - which is not even a REAL programming language.

Thanks velma and opaque. Agree on the stackoverflow being a uncomfortable resource to ask question these days. I checked the links velma and they are not rehashed (except the astrumfutura one). Thanks again for those links.

I am now digging a deep related to the htmlspecialchars() and mysqli.

I just realized that old mysql has more issues on the XSS side than the new mysqli and PDO. So going to switch to the new mysqli.

I have to work on OOP side of the things for PHP. Yet to get used to the prepared statements and few other things that makes coding quicker and yet requires a model.

So far I have found that -

1) I have to take care of the deprecated or the old mysql functions.

2) I have to avoid using PHP_SELF and instead redirect to another page.

3) Use ajax instead of passing the data via $_post.

4) Use mysqli prepared statement and PDO.

5) Avoid using the unsafe code within the HTML page and instead get modular with database and other code in file.

6) Check the input from the form before adding to the database (thanks to opaque for this).

I will update this thread, as I learn something interesting