473,398 Members | 2,427 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > <script> tag not been processed in textarea

Join Bytes to post your question to a community of 473,398 software developers and data experts.

<script> tag not been processed in textarea

Hello,

To demonstrate XSS attack, I am building a web app which does the following:

1. Works like a forum
2. Takes posts from users via a HTML textarea and store these messages in the mysql db
3. Displays all posts from the users on a thread. The objective is to show an XSS attack such as
Expand|Select|Wrap|Line Numbers
  1. alert("attack");
due to insufficient filtering of the input.

I am using a MySql db with Apache and PHP.

On entering the following input into the textarea:

Expand|Select|Wrap|Line Numbers
  1. <script>alert("attack");</script>
The data is just not being added to the DB and the $_POST method in the page which stores the posts into the database is returning an empty string. However, all other cases are working. I have so far not used any special functions used for input filtering in PHP, as this is an app to demonstrate XSS.

However, on manually adding the above script into the DB, the expected alert box pops up.

Anyone knows what's going on?
Apr 9 '11 #1
1 1848
This worked well on mysql V5.5.8
Expand|Select|Wrap|Line Numbers
  1. <?php
  2.     if(isset($_POST['name'])){
  3.         $name=$_POST['name'];
  4.         $dbc=mysqli_connect('localhost','root','','test') or die("Error connecting database...");
  5.         $query="INSERT INTO test (name) VALUES ('$name')";
  6.         $result=mysqli_query($dbc,$query) or die("Error querying database.$query");
  7.         echo "Successfully inserted.";
  8.     }
  9. ?>
  10. <html>
  11. <head>
  12. <title>Hack It</title>
  13. </head>
  14. <body>
  15.     <form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
  16.     <input type="text" name="name">
  17.     <input type="submit" value=" Submit " name="submit">
  18.     </form>
  19. </body>
  20. </html>
  21.  
Hey remember not to use this code,in hacking innocent people.
Apr 12 '11 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

2
<SCRIPT>........</SCRIPT> tags in NN4.75
by: Madhav | last post by:
I have the following statements in my script. ---------------------------------------------------------- textToWrite = "<HTML> \n" + "<HEAD> \n" + "<TITLE>Calendar</TITLE> \n" + "<SCRIPT...
Javascript
30
Validating <script> tags
by: Toni Mcintyre | last post by:
i'm having 2 problems with the http://validator.w3.org 1. if i have: <meta http-equiv="Content-Script-Type" content="text/javascript"> then why do i need <script type=text/javascript>...
HTML / CSS
1
AJAX and disapeard javascripts tags <script></script>
by: Grzegorz ¦lusarek | last post by:
Hello everyone. I1m writing webb aplication using AJAX (prototype library: http://prototype.conio.net/ and scriptacuolous:http://script.aculo.us/). My Problem is that that I'm doing...
Javascript
1
How to fix the whacky <script></script> bug in C# when dynamically creating javascript.
by: andrew | last post by:
So I spent ages trying to work out what the problem was with my code when I did this and found a post which led me to the very simple solution. I use WebMatrix so I'm not sure if this is a major...
ASP.NET
21
Using complete <script> tag in eval is possible ?
by: hemant.singh | last post by:
Hello all, I am try'g to send window.location.href to the server script who will generate dynamic javascript according to the referral name comg in as param Now bcz <script language="javascript"...
Javascript
12
Include .js file inside HTML and call functions from another <script>
by: Iddo | last post by:
Hi, I am having a strange problem... I have an HTML file which has 2 script tags: 1) <script language="javascript" id="ABC" src="ABC.js" /> 2) <script id="general" language="javascript">...
Javascript
44
Does <script src=foo> require an end tag </script>
by: rhythmace | last post by:
W3C HTML validator passes this: .... <script type="text/javascript" src="foo.js"> <script type="text/javascript"> ....script in here... </script> ....
HTML / CSS
2
error when using <% %>and <script></script> tags
by: -Karl | last post by:
Couls someone please advise me on this error. What I am trying to do is be able to convert an XML document into arrays. I read that the subs & functions have to be in <scripttags. Thanks! ...
ASP.NET
1
How get: <script>"some HTML here... <noscript>Other HTML here... ?
by: Gretsch | last post by:
I have a lot of nicely formatted HTML to be displayed for visitors WITHOUT script (/enabled), and a second set of HTML for those WITH script. The <noscript> tag allows me to separate the HTML for...
Javascript
3
Multiple <script type="text/javascript" src="mys.js"></script> OK?
by: joe | last post by:
Is it OK to have multiple: <script type="text/javascript" src="funcs1.js"></script> <script type="text/javascript" src="funcs2.js"></script> <script type="text/javascript"...
Javascript
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!