At 2:46 PM -0400 4/18/11, Daniel Brown wrote:
On Mon, Apr 18, 2011 at 14:42, tedd <> wrote:

 No, I had a simple form where IF the user entered:

 <script> alert("Evil Code");</script>

 -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit,
 the form would

 echo( $_POST['text'] );

 -- and that would produce a JavaScript Alert.

 Here's the form:

 It was a simple working example of JavaScript Injection. But it no longer
 works and I want to find out why. The most popular reason thus far is
 "Browsers have changed", but I'm not sure as to what did change.

    Look at the post-processing source --- note the slashes.  Apply
stripslashes() to the output on the PHP side and all should be right
again with the world.

</Daniel P. Brown>

Daniel et al:

Sorry -- I'm not making myself clear.

The form "as-is" produced a javascript alert() and now it doesn't.

It doesn't make any difference if I use stripslashes() or not, it still will NOT produce a javascript alert as it used to do.

Seriously, try this:


$insecure = $_POST['insecure'];
//$insecure = stripslashes($insecure);

<h1>tedd's Secure v Insecure form demo</h1>

Enter (cut/paste the red) <br/><span class="red"> &lt;script> alert("Evil Code"); &lt;/script></span><br/> in the field below
and see what happens. The red is javascript code.

<form method="post" action="index.php">
Field: <input type="text" size=60 name="insecure">
<input type=submit value="Submit Post">


if ($insecure != null)
echo("<p>This is what you entered:</p>");
echo("Input: $insecure");
$insecure = htmlentities($insecure);
echo("Input after htmlentites: $insecure");

<?php include('../includes/footer.php'); ?>

You can un-comment the stripslashes() function and it will still not produce a javascript alert.




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to