php developer Mumbai
php developer India
Website development Mumbai
website optimization seo
php freelancers India

Cross Site Scripting XSS browser attacks


Now a days Web applications are becoming more and more dynamic. Dynamic websites means contents shown on web page are pulled dynamically depending on some settings. These setting may include sending some important variables in query string, or sending the data entered by users with post form type. So in simple words we can say that your dynamic web application needs some contents / data inputs from user, and this is the point where Cross Site Scripting
(XSS) comes in picture.
As your dynamic web application is accepting some data from users or from query string. Some users get the front door open to enter in your application and put there codes in your application. These Codes may include HTML code and/or JavaScript , any client-side scripts. Cross-site scripting technique is carried out on websites were roughly 80% of all documented security vulnerabilities.

What is XSS?

Usually attacker encodes some part of the links in HEX, and puts this in your web page through query string. So that script can be anything and we cant predict the behavior of such attacks to the web application.

Attack example : A simple JavaScript to read cookie is added to your page and then this cookie is sent to attackers action page which records all the information in the cookie created by yuor web application.

Refer folowing url


< src="" text="< script">alert(document.cookie)< / script>"> < / iframe>

If we are using the variable $text somewhere in our page and it is not escaped then this URL will render a new iframe on the place where you are using the $text variable.
In this way you can insert any of your script in another webpages and fool the users to get important information from them. But normally in such kind of attckes user never understand that there important information is being hacked by some other application.
This is the simple thing and will not cause much damage to your sitee, but attacker can do much more than this with the help of XSS.

Other XSS attacks
Attackers may inject JavaScript, VBScript, ActiveX, HTML in webpages.
This kind of attacks are done for hacking user accounts , changing of user settings, cookie theft, or advertising.

How to prevent such attacks ?

Clensing the Query String variables is the only way you can prevent such attackers.

Clensing the Query String - PHP :
string strip_tags ( string $str [, string $allowable_tags ] )
This function tries to return a string with all HTML and PHP tags stripped from a given str.

string htmlentities ( string $string [, int $quote_style [, string $charset [, bool $double_encode ]]] )

use above functions or you can write your own function which combines all such stripping functionlities.

Contact us to solve cross site scripting issues in your site : Click Here

Fatal error Allowed memory size of 8388608 bytes exhausted


Fatal error: Allowed memory size of 8388608 bytes exhausted.

sometime PHP script may returns the above error. Normally this error is generated when your script exchausted and used up the default memory requirement of 8 MB memory allocation.

* Default memory limit is set in php.ini file ( php configuration file.)

* memory_limit = 8M;

How can we manage with the memory problems comes in some php scripts?
you should check following things when such kind of memory errors occurs in your script.

1. check the default memory_limit variable in your php.ini file.
memory_limit = 8M;
you can change this memory limit and again check for the error.

a. Edit in php.ini
memory_limit = 12M;
restart the apache service.
b. code Level
@ini_set('memory_limit', '12M');
c. htaccess
php_value memory_limit 12M
___________________________________________________________________

2. If the error is not resolved after above step, then you should start debugging your code in order to find out the reason of memory limit exceed.
You have to first find out at what position in your code the memory limit is exceeding. you can use the php's built in function for this purpose.

Function description

memory_get_usage — This function returns the amount of memory allocated to PHP.

Syntax : int memory_get_usage ( true / false );

It returns the amount of memory, in bytes, that's currently being allocated to your PHP script.

Set the option to this function to TRUE to get the real size of memory allocated from system. If not set or FALSE only the memory used by emalloc() is returned.

How to use this function

1. Write this code ( echo memory_get_usage( true ); ) repeteadly after some no of lines.
2. Run it in browser
3. Compare the counts given by each echo and you can check which block of your code needs extra memory.
4. Once you identify the block of code which needs extra memory then you can start deallocating the unused memory spaces allocated by some unused variables and some infinite loops.
5. use following wherever necessary.
a. unset($var_name);
b. mysql_free_result($result_set); — Free result memory
c. Look for include("file.php") in loops, by mistake.
Just try to free the memory everywhere if the variable / array is no longer used.
6. Best of luck.


Function description

bool mysql_free_result ( resource $result )
It frees all the memory associated with the result identifier result .