Home/ Questions/Q 8511635
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T04:03:32+00:00

I have the following php pahe which accepts the user’s first name and password

  • 0

I have the following php pahe which accepts the user’s first name and password to access a password protected site. 

 <?php
    /**
     * ****************************************************************************
     * Micro Protector
     * 
     * Version: 1.0
     * Release date: 2007-09-10
     * 
     * USAGE:
     *   Define your requested password below and inset the following code
     *   at the beginning of your page:
     *   <?php require_once("microProtector.php"); ?>
     * 
     *   See the attached example.php.
     * 
     ******************************************************************************/


    $Password = 'testpass'; // Set your password here



    /******************************************************************************/
       if (isset($_POST['submit_pwd'])){
          $pass = isset($_POST['passwd']) ? $_POST['passwd'] : '';

          if ($pass != $Password) {
             showForm("Wrong password");
             exit();     
          }
       } else {
          showForm();
          exit();
       }

    function showForm($error="LOGIN"){
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
       <title>IMC - Authentication</title>
       <link href="style/style.css" rel="stylesheet" type="text/css" />
    <Script>
    <!--
    function capitalize(form) {
        value = form.value;
        newValue = '';
        value = value.split(' ');
        for(var i = 0; i < value.length; i++) {
            newValue += value[i].substring(0,1).toUpperCase() +
            value[i].substring(1,value[i].length) + '';
        }
    newValue = newValue.replace(/(<([^>]+)>)/ig,"");
    form.value = newValue;
    }
    -->
    </Script>
    </head>
    <body>
    <center><a href="http://www.test.com"><img src="http://www.test.com/topLogo.png" border=0 /></a></center>
    <br><br><br>
        <div id="main">
          <div class="caption"><?php echo $error; ?></div>
          <div id="icon">&nbsp;</div>
          <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="pwd">
        Your Name:
            <table>
              <tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr>
            </table> 
            Password:
            <table>
              <tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr>
              <tr><td align="center"><br/>
                 <input class="text" type="submit" name="submit_pwd" value="Login" />
              </td></tr>
            </table>  
          </form>
       </div>
    </body>
    </html>

    <?php   
    }
    ?>

Currently it’s not validating any XSS or any type of malicious attack. On my contact us page, i have the following code which ensures the user cannot enter any XSS or any kind of malicious code:

// Clean up the input values 
foreach($_POST as $key => $value) { 
  if(ini_get('magic_quotes_gpc')) 
    $_POST[$key] = stripslashes($_POST[$key]); 

  $_POST[$key] = htmlspecialchars(strip_tags($_POST[$key])); 
}

Can anyone tell me where would I insert the above code in my php page to ensure no code is inserted for malicious intent.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would suggest using a library like HTMLPurifier. It is very easy to use and can filter the user input, preventing XSS attacks.

    $filter = new HTMLPurifier();

foreach($_POST as $key => $value) { 
  $_POST[$key] = $filter->purify($_POST[$key])); 
}

    then you can check the password against the one in your database or other storage mechanism

    HTH

    • 0