Validating user input in php Online sex chat trial
Before we describe in detail how an XSS attack works, we need to define the actors involved in an XSS attack.
In general, an XSS attack involves three actors: the website, the victim, and the attacker.
To the victim's browser, the malicious Java Script appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.
In the example of a DOM-based XSS attack, however, there is no malicious script inserted as part of the page; the only script that is automatically executed during page load is a legitimate part of the page.
The problem is that this legitimate script directly makes use of user input in order to add HTML to the page.
The PHP filter extension has many of the functions needed for checking user input, and is designed to make data validation easier and quicker.
The filter_list() function can be used to list what the PHP filter extension offers: The following example uses the filter_var() function to check if the variable $int is an integer.
The only way for the attacker to run his malicious Java Script in the victim's browser is to inject it into one of the pages that the victim downloads from the website.