nichemtktg — 2012-08-16T11:26:21-04:00 — #1
I am simulating an attack and I can't figure out why htmlspecialchars() is causing a parse error as in:
$char = htmlspecialchars("while (1) alert ("Gotcha!");",ENT_COMPAT);
cpradio — 2012-08-16T11:45:15-04:00 — #2
You need to escape your quotes around Gotcha!, like so
$char = htmlspecialchars("while (1) alert (\\"Gotcha!\\");",ENT_COMPAT);
nichemtktg — 2012-08-16T11:50:03-04:00 — #3
Thanks cpradio, but I was experimenting with different character combinations the a user might use accidentally or on purpose.
I've never looked specifically at how dbl quotes work there way through php as a form input or a hack. I just assumed they'd be processed. I know I should've known better. They don't work for me without escaping. Obviously they won't work for a user for the same reason.
I did discover that unescaped dbl and single quotes as a form input results in no data being placed in a table. I didn't know that explicitly.
I suppose that counts a problem solved even though it wasn't ever a problem. I'll just count the last hour to towards my 10,000. Am I there yet? lol
cpradio — 2012-08-16T11:56:03-04:00 — #4
If you don't mind me asking, what are you stimulating an attack against? Your database?
nichemtktg — 2012-08-16T12:03:50-04:00 — #5
Yea. Nothing too rigorous or even necessarily functional. I'm just double checking what I know for a feel and what I know for a fact and deciding which characters I'll allow to be inputed. By nature I way too trusting and don't get or want to get the whole evil genius thing, but I know they're out there.
I suppose I'm just trying to keep the self inflicted wounds to a minimum (second time same on me).
cpradio — 2012-08-16T12:06:00-04:00 — #6
If you post your query execution, there are several people here who can help you secure it (if it needs it). For example, if you are using PHP, you can utilize PDO to ensure you are not susceptible to sql injection attacks
nichemtktg — 2012-08-16T12:11:03-04:00 — #7
Thanks I do that when I'm ready. Do I post it in the php forum?
cpradio — 2012-08-16T12:13:47-04:00 — #8
Yes, if your code is PHP, put it there. We won't need to see any connection details, just the code you are using that queries your database.
nichemtktg — 2012-08-16T12:20:49-04:00 — #9