Ajax software     Free javascripts 
↑


Main Page

htmlspecialchars($_GET[‘parameter’]) .

‘ has no results.’;

?>

3.

Load

http://seophp.example.com/param_no_escape.php?parameter=<a href=http://

too.much.spam>spam spam spam</a>

. Your innocent, but vulnerable script, nicely takes the

parameter and transforms it into an HTML link. You end up linking to

http://too.much.spam

,

as shown in Figure 8-3.

4.

Now provide the same parameter to your other script,

param_escape.php

. The link would

be

http://seophp.example.com/param_escape.php?parameter=<a href= http://

too.much.spam>spam spam spam</a>

, and the result is shown in Figure 8-4.

Figure 8-3

Figure 8-4

The escaping makes a difference, doesn’t it! Of course, you don’t want anyone to post anything like that

on your web site regardless of whether you escape your input data. However, you’re much better off

when escaping your data for three main reasons:

?

Carefully escaped data is much less likely to cause damage when further processed by your scripts

in general. Doing so has security implications as well — preventing cross-site scripting attacks.

179

Chapter 8: Black Hat SEO

c08.qxd:c08 10:59 179

Ajax software     Free javascripts 
→