#16

  1. Join Date
    Sep 2013
    Location
    Lahore, Pakistan
    Posts
    74
    Rep Power
    1

    Post


    Originally Posted by IngwiePhoenix
    one cause for XSS
    you define description very well friend,

    hats off for you.

    but I never listen this name "XSS" what is it?

    sorry for asking. I am newbie in programming.
  2. #17
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    Originally Posted by same2cool
    I Don't know more about it. still my teacher did not tell me about printout command.



    May be you are right, I have found the solution of my error but. here I had also one error in my small code that is not working i don't know why.

    PHP Code:
    <?php  
                              $name1
    ="Samee";  
                              
    $name2="Ullah";  
                              
    $name3="Feroz";  
                              echo 
    "$name1 $name2\n$name3 <br />"//Error Here Sequence is not working.  
                              
    echo "$name1 $name2\t$name3 <br />";  
                              echo 
    "$name1 $name2\r$name3";  
                         
    ?>

    In this code Escape Sequence is not working.

    I showed output in my Escape Sequence post in my blog.
    You dont see the escape sequences, unless you are viewing the output via the terminal, or by "displaying the source code" via your browser. the <br/> will of course work in a browser, but you will not see newlines and alike.

    It would also be very helpful if you copy-and-paste'd the error message.
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    Originally Posted by same2cool
    you define description very well friend,

    hats off for you.

    but I never listen this name "XSS" what is it?

    sorry for asking. I am newbie in programming.
    XSS: X(pronounced as C)ross Site Scripting

    It is a method to execute code on another server. For example, there was a bug in PHP that allowed people to open PHP scripts on another server like so:

    .../file.php?$GLOBALS[]=...

    The $GLOBALS array contains the table of all global variables - such as $_GET and $_POST. That method allowed a hacker to smuggle code/values into a script that allowed them to either control the system in a way, or to compromise a database for example.
  6. #19

  7. Join Date
    Sep 2013
    Location
    Lahore, Pakistan
    Posts
    74
    Rep Power
    1
    Originally Posted by IngwiePhoenix
    You dont see the escape sequences, unless you are viewing the output via the terminal, or by "displaying the source code" via your browser. the <br/> will of course work in a browser, but you will not see newlines and alike.

    It would also be very helpful if you copy-and-paste'd the error message.
    I tried from many ways.

    PHP Code:
    like "\n $str1";
    like "\n " $str1;
    also like "\n {$str1}"
    I am using WAMPserver.

    is it local host problem?

    but no response.
  8. #20
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    Its not your localhost or WAMP server.

    When you open a page, the browser will interpret all the HTML code - like <br/>. But it will NOT interpret new-lines, tabs and carriage returns.

    \n = Newline
    \r = Carriage return
    \t = Tab

    These three are simply not displayed by your browser, unless you use an option that is mainly called "Display source code". Its different from browser to browser, but that option will pop up a window which displays the raw data that it recieved. In this potion, you will also see the newlines and tabs - sometimes, even the Carriage returns. but in most cases you won't see it.
  10. #21

  11. Join Date
    Sep 2013
    Location
    Lahore, Pakistan
    Posts
    74
    Rep Power
    1

    Red face


    Originally Posted by IngwiePhoenix
    XSS: X(pronounced as C)ross Site Scripting

    It is a method to execute code on another server. For example, there was a bug in PHP that allowed people to open PHP scripts on another server like so:
    Thanks for this great knowledge i'll write it down to my daily blog. i'll discuss this communication there.


    Originally Posted by IngwiePhoenix
    The $GLOBALS array contains the table of all global variables - such as $_GET and $_POST. That method allowed a hacker to smuggle code/values into a script that allowed them to either control the system in a way, or to compromise a database for example.
    Yep I know about $GLOBALS(); 2 days before I learned it.

    it is used to call global variable into function.

    Nice information you provide here that hacked used $GLOBALS();

    interesting.
  12. #22
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    One small thing.

    You wrote: $GLOBALS();
    That'd be a function.

    Actually, it is: $GLOBALS[]
    $GLOBALS is an array, not a function.

    I.e.

    PHP Code:
    <?php
    $foo
    ="bar";
    echo 
    $GLOBALS['foo'];
    ?>
    As you can see, i defined $foo. But since it is a global variable, it'll end up in $GLOBALS.

    The function however that you ment is just "global":+

    PHP Code:
    <?php
    $myName 
    "Ingwie";
    function 
    say() {
        
    // I am not passing any parameter to it, but I am going to import the variable from the global namespace.
        
    global $myName;
        echo 
    $myName// Ingwie
    }
    say();
    ?>
  14. #23

  15. Join Date
    Sep 2013
    Location
    Lahore, Pakistan
    Posts
    74
    Rep Power
    1

    Post Please


    Originally Posted by IngwiePhoenix
    \r = Carriage return
    I don't know more about \r can you please ; describe its functionality; in basic way; or small function. that i can try and understand. I checked your knowledge is good and you can become good teacher. please guide me.

    Originally Posted by IngwiePhoenix
    unless you use an option that is mainly called "Display source code".
    it is any option. what does it mean?
  16. #24

  17. Join Date
    Sep 2013
    Location
    Lahore, Pakistan
    Posts
    74
    Rep Power
    1

    Post


    Originally Posted by IngwiePhoenix
    One small thing.

    You wrote: $GLOBALS();
    That'd be a function.

    Actually, it is: $GLOBALS[]
    $GLOBALS is an array, not a function.
    Sorry it is my mistake, I'll remember it now. thanks for correction.


    Originally Posted by IngwiePhoenix
    1st :
    PHP Code:
        // global namespace.
        
    global $myName
    2nd :
    PHP Code:
    say(); 
    Sorry I Don't know about these codes and global namespace, still teacher did not tell me about it. but i'll ask him about these two things at monday.

    My Code of Global Variable In Function was
    PHP Code:
    <?php
        $name
    ="Samee";
        
    $age=22;
        
    $hight=5.3;
        function 
    msr()
        {
         echo 
    "<b>What is Your Name And Age?</b> <br />";
         echo 
    "My Name is {$GLOBALS['name']}";
         echo 
    "<br />";
         echo 
    " And My Age is " $GLOBALS['age'] . " And my double age will be " . ($GLOBALS['age']*2) . "<br />";
        }
        
    msr();
         echo 
    "<b>Tell me your complete bio data?</b> <br />";
         echo 
    "My Name is $name, age is $age, and My hight is $hight."
        
    ?>
  18. #25
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    Originally Posted by same2cool
    I don't know more about \r can you please ; describe its functionality; in basic way; or small function. that i can try and understand. I checked your knowledge is good and you can become good teacher. please guide me.



    it is any option. what does it mean?
    I have been PHP'ing since years.

    To explain the carriage return, let's look at the older OSes that there existed - like DOS and UNIX in its pure form. An OS formats files with different bytes, each byte representing a sign - or in another way, representing a decimal number that is associated to an encoding table like ASCII. In fact, you can get the ASCII code of a character in PHP even
    PHP Code:
    <?php echo ord("a"); ?>
    This will output 97 - as this is the offical ASCII decimal for a lowercase a. And this way, newlines were defined as well. But since Microsoft with their DOS wanted to be slightly different, their files were encoded in a way that newlines were described with a different sign than the one that UNIX used (For example: Mac OS 8).
    To represent these signs in modern terms, people use the escape series \r to represent the old Microsoft way which is called "CR". UNIX, or Linux, uses \n and their encoding was "LF": Linefeed. Today, most operating systems use an encoding called "CRLF" - as you see, a combination of both.

    For instance,when you open a website from a server, the actual information - like the HTTP status code - is transfered with a CRLF structure:

    HTTP 1.1 GET / 200\r\n

    this is being done to ensure the most compatibility possible.

    For another instance, I write my programms in LF encoding, so when I run them on my school's server (which weirdly uses CR), my scripts will perfectly use all their newlines since the OS is looking for \r - but my files only provide \n. This leads to extremely unexpected errors, especially when you work with C++ where a definition (#define) must be placed into a seperate line. So a file I write on my Mac maybe looks like this:

    #include <iostream>
    #include <string>

    But on the other computer, it turns into:

    #include <iostream>#include <string>

    See the difference?


    The "display source code" option is maybe found in the Tools menu of your browser. Just hit google and type your browser name, "how to" and then "display source code".
    I.e.: firefox how to display source code
    However, I know that you can do that in Firefox by pressing CTRL+U.

    Comments on this post

    • Jacques1 disagrees : Do you realize that you're talking to a newbie who simply asked what \n means? I don't think he needs a history lesson.
    • NotionCommotion agrees : I appreciated the history leason.
  20. #26
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by IngwiePhoenix
    XSS: X(pronounced as C)ross Site Scripting

    It is a method to execute code on another server. For example, there was a bug in PHP that allowed people to open PHP scripts on another server like so:

    .../file.php?$GLOBALS[]=...
    No.

    I'm not even sure what you mean by your code example (maybe a remote file inclusion?), but this has absolutely nothing to do with cross-site scripting.

    Cross-site scripting means that you inject client-side code (like JavaScript) into a web page and wait for the browser of a visitor to execute it. So it's an attack against clients, not servers. It's used to steal cookies, manipulate user actions etc.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  22. #27
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    Originally Posted by Jacques1
    No.

    I'm not even sure what you mean by your code example (maybe a remote file inclusion?), but this has absolutely nothing to do with cross-site scripting.

    Cross-site scripting means that you inject client-side code (like JavaScript) into a web page and wait for the browser of a visitor to execute it. So it's an attack against clients, not servers. It's used to steal cookies, manipulate user actions etc.
    XSS has been used to inject code into actual PHP scripts too. It is truely mainly used for clientside attacks...but its not its only purpose. True, remote file inclusion isnt all that wrong :3
  24. #28
  25. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by IngwiePhoenix
    It is truely mainly used for clientside attacks...
    This is the definition of cross-site scripting. That's what the name means.

    OWASP: Cross-site scripting

    Injection attacks against the server have different names, depending on what exactly is being attacked (there are file inclusion attacks, SQL injections etc.).

    Of course you're free to use your own definition, but then nobody will understand you, and you'll confuse inexperienced programmers.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  26. #29
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    /root
    Posts
    14
    Rep Power
    0
    Originally Posted by Jacques1
    This is the definition of cross-site scripting. That's what the name means.

    OWASP: Cross-site scripting

    Injection attacks against the server have different names, depending on what exactly is being attacked (there are file inclusion attacks, SQL injections etc.).

    Of course you're free to use your own definition, but then nobody will understand you, and you'll confuse inexperienced programmers.
    Well, it is basically what I experienced, saw and learned over the years. o.o"

    Like, there was that documentation in SMF 2.0.X (cannot remember the release) that spoke about XSS from within the server-side, pointing out the $GLOBALS issue. *shrug* I cant really say what is worng or right, but I suppose its more in the viewer's eye or something like that o.o
  28. #30
  29. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by IngwiePhoenix
    I cant really say what is worng or tight, but I suppose its more in the viewer's eye or something like that o.o
    Not really. The term "cross-site scripting" stands for a specific client-side attack, and tech people all around the world refer to this definition when they talk about XSS. That's what you'll find in every manual, specification or scientific paper.

    I don't know SMF, so I can't tell you what they meant and why they used the term XSS. But if you want people to understand you, then you should use the common definition and call a circle a "circle" and not "rectangle".
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo