I have the following form that users fill in:
<form name="form" action="" method="POST">
<table width="100%" border="0" cellpadding="2" cellspacing="2">
<tr>
<td width="25%" ><div align="right"><strong>Name:</strong></div></td>
<td width="75%" ><span id="sprytextfield1">
<input id="Cname"name="Name" type="text" placeholder="Please fill in your name">
<span class="textfieldRequiredMsg">A value is required.</span></span></td>
</tr>
<tr>
<td><div align="right"><strong>Email:</strong></div></td>
<td><span id="sprytextfield2">
<input id="Cemail"name="email" type="text" placeholder="e.g sales@company.co.uk">
<span class="textfieldRequiredMsg">A value is required.</span><span class="textfieldInvalidFormatMsg">Invalid format.</span></span></td>
</tr>
<tr>
<td><div align="right"><strong>Phone Number:</strong></div></td>
<td>
<input id="Cphone" name="Phone" type="text"placeholder="e.g. 5555-6666666">
</td>
</tr>
<tr>
<td> </td>
<td><input name="Manufacturer" type="hidden" value="<?php echo $row_emailProduct['Manufacturer']; ?>">
<input name="Model" type="hidden" value="<?php echo $row_emailProduct['Model']; ?>">
<input name="Color" type="hidden" value="<?php echo $row_emailProduct['Color']; ?>">
<input name="price" type="hidden" value="<?php echo $row_emailProduct['price']; ?>">
<input name="id" type="hidden" value="<?php echo htmlentities($_GET['id']); ?>">
<input name="insert" id="insert" type="submit" value="Send Request"></td>
</tr></tr>
</table>
</form>
Once the form is submitted the following happens:
if (isset($_POST["insert"])){
$OK=false;
$insertSQL = "INSERT INTO Item_intrest (Manufacturer, Model, Color, price, Name, Phone, email) VALUES (:Manufacturer, :Model, :Color, :price, :Name, :Phone, :email)";
$Result1 = $conn->prepare($insertSQL) or die(errorInfo());
$Result1->bindParam(':Manufacturer', htmlentities($_POST['Manufacturer']), PDO::PARAM_STR);
$Result1->bindParam(':Model', htmlentities($_POST['Model']), PDO::PARAM_STR);
$Result1->bindParam(':Color', htmlentities($_POST['Color']), PDO::PARAM_STR);
$Result1->bindParam(':price', htmlentities($_POST['price']), PDO::PARAM_STR);
$Result1->bindParam(':Name', htmlentities($_POST['Name']), PDO::PARAM_STR);
$Result1->bindParam(':Phone', htmlentities($_POST['Phone']), PDO::PARAM_STR);
$Result1->bindParam(':email', htmlentities($_POST['email']), PDO::PARAM_STR);
$Result1->execute();
$OK = $Result1->rowCount();
/*email to shop */
$emailsubject = 'Product Request';
$webmaster = 'sales@company.co.uk';
/*data collection */
$Name = htmlentities($_POST['Name']);
$email = htmlentities($_POST['email']);
$Phone = htmlentities($_POST['Phone']);
$item1 = htmlentities($_POST['Manufacturer']);
$item2 = htmlentities($_POST['Model']);
$item3 = htmlentities($_POST['Color']);
$Price = htmlentities($_POST['price']);
$Body = <<<EOD
<br><hr><br>
Name: $Name<br>
Email: $email<br>
Phone: $Phone<br>
Product:$item1, $item2,$item3<br>
Price: $Price<br>
EOD;
$headers = "From: $email
";
$headers .= "content-type: text/html
";
$succes = mail($webmaster, $emailsubject, $Body, $headers);
if($OK){
header('Location: /thankyourequest.php?id=' . htmlentities($_GET['id']). '');
exit;
}else {
$errorInfo = $Result1->errorInfo();
if(isset($errorInfo[2])){
$error = $errorInfo[2];
}
}
}
For some reason when it is scan it returns
From: < [mailto:<]
Sent: 20 April 2015 10:04
To: sales@company.co.uk
Subject: Product Request
Name: <script>alert("xssvuln")</script>
Email: <script>alert("xssvuln")</script>
Phone: <script>alert("xssvuln")</script>
Product:<script>alert("xssvuln")</script>, <script>alert("xssvuln")</script>,<script>alert("xssvuln")</script>
Price: <script>alert("xssvuln")</script>
As you can see I've tried to prevent this with htmlentities how ever that does not seem to be enough.
Any help welcome to prevent this
See Question&Answers more detail:
os