0

I been trying to passing this value:

// Content to submit to php
Others string here. And this link:
http://www.youtube.com/watch?v=CUUgKj2i1Xc&feature=rec-LGOUT-exp_fresh+div-1r-2-HM

to a php page, and insert it to database. here is my current code:

... // javascript

var content = $("#mcontent").val();
$.ajax({
    url : '<?php echo PATH; ?>functions/save.php',
    type: 'POST',
    data: 'id=<?php echo $_GET['id']; ?>&content=' + content + '&action=save&val=<?php echo md5("secr3t" . $_SESSION['userid_id']); ?>',
    dataType: 'json',

    success: function(response) {
        if (response.status == 'success') {
            alert(response.message);
        } else {
            alert(response.message);
        }
    }
});

No errors actually, but in database, what it saved is:

Others string here. And this link:
http://www.youtube.com/watch?v=CUUgKj2i1Xc

I guess i know whats the problem, the problem is the:

http://www.youtube.com/watch?v=CUUgKj2i1Xc&feature=rec-LGOUT-exp_fresh+div-1r-2-HM

I think it takes the "&feature=" as another POST data. What I have tried:

But both does not work. Do you have any others way?

EDIT:

Do you foresee any others problem that might occurs? The content are type/write by user. Meaning that, the user can type/write anything. On backhand, I did others checking though, including the "mysql_real_escape_string"

gevorg
  • 4,835
  • 4
  • 35
  • 52
webdeveloper_1989
  • 3
  • 2
  • ``? **Danger**: You have an XSS security vulnerability. Do not include user data without converting it to the language you are using! In this case JavaScript followed by checking that `` is converted to `<\/script>` if it appears in the string. – Quentin Nov 16 '10 at 07:24
  • Thanks for the warning David. So, to know which user posting it, i should store to a $_SESSION variable? Please advise – webdeveloper_1989 Nov 16 '10 at 07:28
  • A session variable is a sensible place to store a user id, yes. – Quentin Nov 16 '10 at 12:17

2 Answers2

1

Learn escaping. You're vulnerable to XSS. In this case, your data are part of an URL, so you have to urlencode() it.

var content = $("#mcontent").val();
$.ajax({
    url : '<?php echo PATH; ?>functions/save.php',
    type: 'POST',
    data: 'id=<?php echo urlencode($_GET['id']); ?>&content=' + urlencode(content) + '&action=save&val=<?php echo md5("secr3t" . $_SESSION['userid_id']); ?>',
    dataType: 'json',

    success: function(response) {
        if (response.status == 'success') {
            alert(response.message);
        } else {
            alert(response.message);
        }
    }
});

Note: I assume that PATH does not contain special characters like ' and \. Since $_SESSION['user_id'] is md5-ed, it does not need to be escaped because it's safe (md5 returns a string with fixed length 32, containing only 0-9 and a-f.

gevorg
  • 4,835
  • 4
  • 35
  • 52
Lekensteyn
  • 64,486
  • 22
  • 159
  • 192
  • Is there any javascript for urlencode? This: ... &content=' + urlencode(content) + '&action=save&val... Is in javascript, yesterday I tried similar things, which is passing javascript variable to PHP, after abit of googling, without ajax, its impossible – webdeveloper_1989 Nov 16 '10 at 07:29
  • Could you explain more about the XSS attack on my case? I should not pass the $_GET['id'] like David said (in the question's comment) – webdeveloper_1989 Nov 16 '10 at 07:32
  • A close Javascript equivalent for urlencode is `encodeURIComponent` (not: a space becomes `%20`, not `+`). In your old code, you could just open `yourpage.php?id=` to see the XSS effect. For posting a form, take a look at http://api.jquery.com/jQuery.post/ – Lekensteyn Nov 16 '10 at 07:48
  • Thanks. It works now. And I am reading the XSS attack now. If I am remember wrong, twitter being attacked by XSS not long ago. Any golden advice for newbie like me? – webdeveloper_1989 Nov 16 '10 at 08:06
1

A nice thing about jQuery is that the data parameter can take a JS object, so you don't need to try to build a query string manually.

<?php

    $data = array("id" => $_GET['id'], 
                  "action" => "save", 
                  "val" => md5("secr3t",$_SESSION['userid_id'])
                 );
    $json_data = encode_json($data);
    $json_data = str_ireplace($json_data, '</script>', '<\/script>');
    echo "var data = $json_data;";
?>
data.content = content;
$.ajax({
            url : '<?php echo PATH; ?>functions/save.php',
            type: 'POST',
            data: data,
            dataType: 'json',
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Hi david, thanks for the awesome solution (why I never think of it!!) But, didnt you said passing $_GET['id'] is dangerous? Whats the better method of passing the userid? – webdeveloper_1989 Nov 16 '10 at 07:35
  • Just stripping ` – Lekensteyn Nov 16 '10 at 07:50
  • Thanks. It works now. And I am reading the XSS attack now. If I am remember wrong, twitter being attacked by XSS not long ago. Any golden advice for newbie like me? – – webdeveloper_1989 Nov 16 '10 at 08:07
  • An attacker can, for example, say: `foo.php?id=function_to_send_to_attacker(document.cookie)`; and give the link to someone. This technique allows an attacker to do **anything** the user can do with all the credentials of that user. The golden rule is: **Escape all data for the language it is being used in** – Quentin Nov 16 '10 at 12:17
  • Just escaping is ignoring the problem. Validating is the keyword. If you know that a field should contain numbers only (e.g. phone number), you should make sure that it only contains numbers, and nothing else. There are two ways for this, removing illegal characters (sanitizing), using [preg_replace()](http://php.net/preg_replace) or denying illegal content (validating) using a function like [ctype_digit()](http://php.net/ctype_digit). For `$_GET`, `$_POST` and `$_COOKIE` input, it's recommended to use [`filter_input()`](http://php.net/filter_input). – Lekensteyn Nov 16 '10 at 15:29
  • Often it is better to be permissive. I've seen sites reject people because their name was "O'Reilly", "Woodward-Court" or "Le Guin" (since why would a surname include a space, apostrophe or hyphen?) – Quentin Nov 16 '10 at 16:06
  • @W92 — Why do you consider being case insensitive "a mistake" there? – Quentin Jun 19 '16 at 16:17