Solution 1 :

I take it you are using this as a learning exercise on how to prevent XSS

Change the following:

echo "Invalid username and password";

to in order to achieve XSS:

echo "Invalid username:".$_POST['txt_uname']." and password";

Then type the following text in the username field

<image src="x" onerror="alert('XSS')">

In order to prevent XSS when echoing variables like I have done above you would wrap the variables with htmlentities() like the following code:

echo "Invalid username:".htmlentities($_POST['txt_uname'])." and password";

This is one of several ways of achieving XSS so you are best learning from specific sites that go into greater details of the different methods and solutions to preventing XSS.

Problem :


<title> Login </title>
    #footer {
<div class="container">
    <form method="post" action="logged.php">
        <div id="div_login">
                <input type="text" class="textbox" id="txt_uname" name="txt_uname" placeholder="Username" />
                <input type="password" class="textbox" id="txt_pwd" name="txt_pwd" placeholder="Password"/>
                <input type="submit" value="Submit" name="but_submit" id="but_submit" />
        <div class='container' id='footer'>
    <h3>Leave us some feedback ! </h3>
                <input type="text" class="textbox" id="txt_feedback" name="txt_feedback" placeholder="Feedback" />


include "configs.php";


    $uname = mysqli_real_escape_string($con,$_POST['txt_uname']);
    $password = $_POST['txt_pwd'];

    if ($uname != "" && $password != ""){

        $sql_query = "select count(*) as cntUser from users where username='".$uname."' and password='".$password."'";
        $result = mysqli_query($con,$sql_query);
        $row = mysqli_fetch_array($result);
        $sql = "UPDATE users SET feedback='$fback' WHERE username='".$uname."' and password='".$password."'";
        if ($con->query($sql) === TRUE) {
            echo "Record updated successfully";
        } else {
            echo "Error updating record: " . $con->error;
        $count = $row['cntUser'];

        if($count > 0){
            $_SESSION['uname'] = $uname;
            header('Location: home.php');
            echo "Invalid username and password";



I want the feedback input field to be xss vulnerable such that I can trigger JavaScript alert boxes by supplying scripts as input to the field. How do I achieve this ? As of now, it simply proceeds to the home page without triggering any alert boxes. I have already implemented SQL injection on this page which is working fine.


Comment posted by delboy1978uk


Comment posted by Pratheek Menon

It just shows a blank page without triggering an alert.

Comment posted by John

I’ve changed it to use $_POST[‘txt_uname’] directly. Try again.