if it REALLY is only displaying it, and not doing anything with the database, you should be fairly safe. The big issues come to play when databases are used.

J.

yep no databases are used i'm safe for that part i think

If the input is in echo statements would they be able to execute php
And what about cookies?

lajkonik86 wrote:

I'm taking get input and displaying it one the page without any check.

Not good
You should always validate your input. Make sure it is within the allowed values and follows whatever special format may be required. Use addslashes, mysql_escape_string, or other similar functions.

yes i know it aint good

addslashes would prevent most harm
Still a bit worried about one value which is in a href=""
wouldn't that enable them to create a link to my site, which would send them the cookies of my users if they visit it?

lth2h wrote:

Not good
You should always validate your input. Make sure it is within the allowed values and follows whatever special format may be required. Use addslashes, mysql_escape_string, or other similar functions.

Sorry. but I disagree. The stuff which is submitted, is not interpreted. Untill you tell the browser to do so. The submitted values are treated as text, and not compiled by PhP. The problem comes when you start using a database, because THEN the code is interpreterd -> By your database engine to be exact. That is when the addslashes etc becomes an issue.

So if I would submit "print_r($_SESSION);\n\r echo"$username $password $security";"
then exactly that would be echoed out if nothing else happens. As for cookies: Your cookies are on the userts HD and always readable if people want: Do not store sensitive data in it.

My 2 cts, anyone plkease correct me if I am wrong.

Is there anything stopping someone from embedding Javascript into their text so that it runs when the page is displayed? You don't trust user input any more than you trust your users.

Hi Weedpacket,

OK. Yes. they can do that. But how is that going to be a security risk for your site? What am I missing?

well my knowledge about this is limited

but if somebody would create the get link in suchs a way that it puts javascript on the page which when activated sends cookie data to his email adress. He could effectivily get acces to any account for which he gets people to click the link.

but there might be more problems

Yup; such as including a porn popup, or a redirection to a site of their own choice, or arbitrary rewriting of the page's contents....and they wouldn't have to fit all that into a querystring, either.

Wouldnt 'embedding Javascript into their text' only effect thier access to the page and not everyones access to the page since java script is client-side. What ever they pass to $_GET will be displayed on thier screen. If they input Javascript they will see the effect of the script but no-one else will.

Am I missing somthing?

Oh, yes, that's true. I was assuming for some reason that their contributions would get stored for display to someone else for some reason.

leatherback wrote:

Hi Weedpacket,

OK. Yes. they can do that. But how is that going to be a security risk for your site? What am I missing?

Something like this could be used as a Trojan Horse.

By simply displaying form input, you invite anyone to add their client-side scripting to your side. So, an attacker could create a simple html form on your page (which looks exactly like yours) which sends the login details to him. Alternatively, he could read/write your site's cookies, which again could lead to identity theft.

For further reading, google for "cross site scripting".