PHP Introduction | Form Submission Basics | The First Step in Security Measures: XSS Defense
Submitting a form and processing it on the server is your first step into server-side programming. What is the next thing you must do? It is to close the holes in the program you just made.
Providing a program on a server means that an unspecified number of people will access that server and run that program. In other words, you become responsible for ensuring that the program runs safely for everyone who accesses the server. If users suffer any damage because of that program, the responsibility belongs to the developer who created it.
Of course, this does not mean that you must prepare every possible security measure from the beginning. However, at least the minimum basic safety measures should be among the first things you learn when you start creating programs.
The example program you just made has a large hole in it. Let us check that hole. Access the previous page in a browser and send the following text.
<script>alert("This is the hole!");</script>
When you submit it, an alert window appears on the screen. Recent browsers may automatically block this and display a warning message. This happens because the JavaScript script written in the input field is executed when the page loads. Why is this a hole? Because someone you do not know can write a JavaScript script there and have it executed when the page is displayed.
For example, suppose you made a bulletin board program like this. A person who accesses it secretly posts a JavaScript script in the same way. Then the script runs for everyone who later accesses that bulletin board when it is displayed. What if the script contained processing such as “get the cookie information stored in the browser and send it to another site”? The cookie information of visitors could be stolen by unknown people.
Crimes known as spoofing can happen this way. This script-based method is widely known as cross-site scripting, or XSS, one of the most basic forms of site attack.
Now let us close this hole. The first security measure is actually surprisingly simple. Just rewrite the echo statement that displays text on the screen as follows.
<?php
echo htmlspecialchars($result);
?>
The htmlspecialchars function checks the value written in parentheses, which is called an argument, and returns it after converting all HTML tags into escaped characters. In other words, by writing values this way, tags such as <script> can all be disabled so they do not run.
When using forms, there is a strict rule for security: never output data sent from users directly to the screen. Because you do not know what content is written there, the basics of form handling are to always process it into a form that is safe to display before outputting it.
<?php
$str = $_POST['text1'];
if ($str != null){
$result = "You wrote '{$str}'.";
} else {
$result = "Nothing was written.";
}
?>
<!DOCTYPE html>
<html lang="ko">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>sample page</title>
</head>
<body>
<h1>Hello PHP!</h1>
<div><?php
echo htmlspecialchars($result);
?></div>
<form method="post" action="./index.php">
<input type="text" name="text1">
<input type="submit">
</form>
</body>
</html>