All geek questions in one place

Why are you using html through php security risk with cookies?

im relatively new to php and was hoping you could help me understand why you should sanitize html when echoed, especially if the data is from a cookie ..

ie instead of

<h3>Hello, <?php echo $_COOKIE['user']; ?>!</h3>

you have to do

 <h3>Hello, <?php echo htmlspecialchars($_COOKIE['user']); ?>!</h3>

This is what I understand.

cookies are stored on the client side, therefore, this is a security risk, since the data in them can be changed / modified by malicious users (lol @evil).

but since the cookie is stored on the client side, this means that the client can only change his own cookie, which means that if he adds some malicious code to $ _COOKIE ['user'], when the cookie is launched, the malicious code will be shown to only one user (who first changed the cookie) and no one else !? so what's the problem?

+4
source share
6 answers

You assume that the user has changed his own cookie. Cookies can be modified by third-party cookies (Edit: Using additional software. Third-party websites cannot modify cookies directly). This will allow someone to inject malicious code into the user browser by changing their user interface and potentially creating additional risk for your code.

+7
source

Instead of just looking at the security aspect, there is the user aspect. The code that you present is not very useful for security, because the risk in this case is very high, but if the username can contain a quote or>, the user will not understand why his username is not displayed correctly.

Using such code guarantees that you correctly display the username (and add additional security), no matter what characters you allow during the registration process.

+3
source

This is not very dangerous in this situation - but it rarely happens in a real situation. You should do it anyway.

  • Consistency - do not paste it now, and when you change it to something else, you can open a security hole.
  • The user experience is just because the cookie contains HTML, this does not mean that it was an attempt to implement XSS. What if someone’s name was &amp; ? I was thinking of changing my name to &amp; .
+2
source

The user can enter the script on his page by changing the cookie. This fact alone should be enough to make you think.

-1
source

Imagine that you are really creating a website that stores a lot of data in user cookies.

It is possible that some data in the cookie is used by your site to create an SQL query, which can lead to errors if a user or another site changes your cookie badly.

If you do not check the cookie data for injection, and even if something can be written in the cookie, which can harm your data consistency, for example. the row in the varchar column where only hexadecimal numbers should be inserted.

The best way to deal with this problem is to use Sessions where possible and store only the minimum amount of data needed in a cookie.

-1
source

but since the cookie is stored on the client side, this means that the client can only change his own cookie, which means that if he adds some malicious code to $ _COOKIE ['user'], when the cookie is launched, the malicious code will be shown to only one user (who first changed the cookie) and no one else !? so what's the problem?

Well, it depends on your implementation and what you use the cookie for. An evil user can enter SQL through your cookies, change his permissions, impersonate another user, etc.

That's why you should always think of a worse scenario.

-2
source

Source: https://habr.com/ru/post/1416165/

More articles:


All Articles