Create php ssl login that stops Cross Site Scripting, Secure Cookie

DMCKIB88
DMCKIB88 used Ask the Experts™
on
My ssl php login allows Cross Site Scripting. Despite
Remove < input and replace with &lt;
Remove > input and replace with &gt;
Remove ' input and replace with &apos;
Remove " input and replace with &#x22;
Remove ) input and replace with &#x29;
Remove ( input and replace with &#x28;
I need help in placing these as they cause the
code to show up on the page.
Cookie is lacking secure attributes.
Being new has not helped - Seems more want
script to inject into this than I find help.
My site was hacked into please help!
<div id="apDiv19">
  <form action="<?php echo $loginFormAction; ?>" method="POST" name="form1" id="form1" onsubmit="WAValidateEM(document.forms[0].userid,document.forms[0].userid.value,'- Invalid email address',document.forms[0].userid,1,true);WAValidateRQ(document.forms[0].userpassword,'- Entry is required',document.forms[0].userpassword,1,false,'password');WAAlertErrors('The following errors were found','Correct invalid entries to continue',true,false);return document.MM_returnValue">
    <span id="sprytextfield1">
    <label>
<input name="userid" type="text" class="textfieldFocusState" id="userid" value="<?php echo((isset($_COOKIE[""]))?$_COOKIE[""]:"") ?>" size="24" maxlength="50" />
<span class="BlueB14Verdana">E-Mail</span></label>
    <span class="textfieldRequiredMsg">A value is required.</span></span>
    <p><span id="sprypassword1">
    <label>
      <input name="userpassword" type="password" class="passwordFocusState" id="userpassword" value="<?php echo((isset($_POST["userpassword"]))?$_POST["userpassword"]:"") ?>" size="24" maxlength="10" />
    </label>
    <span class="BlueB14Verdana">Enter</span></span></p>
    <p>
      <label class="BlueB14Verdana">
<input name="submit" type="submit" class="textfieldRequiredState" id="submit" value="Submit" />
Login</label>
    </p>
    <p>&nbsp; </p>
    <p>&nbsp;</p>
  </form>
  </div>

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The first rule is do not print ANYTHING that the user can submit to the form (using POST or GET - both can be changed) without checking / cleaning it first

<?php echo $loginFormAction; ?>

This prints whatever is in that veriable.  Where are you getting this from ?  Is it submitted with the form or just set further up ?
You need to look at everything you print and clean it either using a standard PHP function or your own function.
It is also worth limiting the size of passed parameters, and by this I do not mean having a 'LENGTH=10' type parameter in the form as this can also be changed.  WHen you read in the variable if you know that the username or number of items or whatever should be under 11 charcters then you can pull a substring of the first 10 characters if it is longer than that and only print that.  This would make coding XSS very hard as it would limit the size of any add on code.

I noramally have a function called 'cleanup' or somthing like that where you can pass the sting to be cleaned and the max length and it does both

$username = cleanup($_POST['username'] , 10);

Author

Commented:
I created this through dreamweaver. The PCI test does not pass for VISA. The recommended changes they made just show the code in the form. The form is being submitted to Mysql. Just to make sure that I have given you enough information I am adding this. Could not find anything online with a login that stopped Cross Site Attack. Seems it should be easier, but I have just found nothing to pass. Thought I would make sure that I explained, before testing. Been reading codes from other sites even this experts-exchange. Login is the first thing we do yet nothing passes. Thanks.
If you are using the data in the form to compose mysql statements (for example to see if the username / password are correct by comparing them to the database) you need to protect against sql injection.
The same advice stands.... anything that the user has entered or could change should be considered suspect and should be cleaned and shortened before being used.

There are whole books on this subject so I'm not going to try to answer it all in here

http://www.google.com/search?q=sql+injection+php

Author

Commented:
I will need to research more, but this is a very good direction. Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial