Yogesh Chauhan's Blog

An Example of Cross-site Scripting (XSS) Attack in PHP and How to Avoid It?

in PHP on December 4, 2019

Before we dig into XSS, let's know some basic variable and function using though which this exploit can happen. 


  • It's a super global variable
  • It returns the filename of the script which we are executing right now.
  • We use this to get the data on the same page rather than redirecting user to another page. For example, comments on a blog post

The $_SERVER["PHP_SELF"] in a statement looks like this:

<form method="post" action="$_SERVER["PHP_SELF"]">

Now hackers can easily use that $_SERVER["PHP_SELF"] against you. They can enter "/" and then some Cross Site Scripting (XSS) codes to execute. Let's see how that works.

Let's say out current script is "example.php" so after executing the statement above, the final statement will look like the following when user clicks on submit button:

<form method="post" action="example.php">

Now if any hackers changes the address bar and enters the following code then it'll mess up your web page.

http://www.domain.com/example.php/%22%3E%3Cscript%3Ealert('you have virus inside your computer')%3C/script%3E

So, when that hacker enters the URL it ill be converted to the following because of $_SERVER["PHP_SELF"]:

<form method="post" action="example.php/"><script>alert('you have virus inside your computer')</script>

So, that is going to add the script tag and run whatever is inside that tag. So, when the whole page and script loads, the JavaScript code will be executed and user will see the alert about virus on PC. (Familiar with those kinds of alerts?!)

That's really a basic kind of JavaScript code example which can be added to the PHP form and in many cases hackers will try to redirect user to a different file on different server and at the end the user might get an actual virus on his/her computer!

So, can we avoid this $_SERVER["PHP_SELF"] vulnerability or exploits?

I have a good news. YES WE CAN!

PHP has a function called htmlspecialchars() and we can use that to avoid this exploit. 

After adding htmlspecialchars() in form, it will look like this.

<form method="post" action="htmlspecialchars($_SERVER["PHP_SELF"])">

What does the htmlspecialchars() function do?

  • It converts the special characters in to HTML entities.
  • For example, if there is a " (quote) in your form, it will convert it to &#34; or &quot;
  • So, even if a hacker tries to enter the script tag, it won't work

That hacker code will become as follows after including the htmlspecialchars() function.

<form method="post" action="test_form.php/&quot;&gt;&lt;script&gt;alert('you have virus inside your computer')&lt;/script&gt;">

So, the whole hacking attack is going to fail and your valuable customers or users won't have nay problem while submitting data on your website.

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #3 How to add Read More Read Less Button using JavaScript? #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Aug 15 Is PHP still good for back-end programming? #Aug 10 How to create a multisite network in WordPress? #Aug 3 How to create a circle that follows a cursor using JavaScript and CSS? #Aug 3 How to make a curtain slider using jQuery and CSS? #Aug 2 How to progressively load images and add a blurry placeholder? #Aug 1 How to create a placeholder loader (throbber) using CSS?
You might also like these
How to detect the Blog Page in WordPress?WordPressHow to Use password_hash and password_verify to Secure Your User’s Data (Especially Passwords)?PHPMake sure your links have descriptive textUI/UXActions vs. Filters: hooks in WordPressWordPressHow to deploy Angular App on Dreamhost or Amazon S3 or firebase?AngularHow to check if checkbox is checked or not using JavaScript?JavaScript