Menu
I made a simple base64 decoder form, which takes in an input through a textarea. I assume the input is base64 encoded. If it isn't base64 input, and there's a PHP error or garbage is returned, I don't mind at the moment However, from a security perspective do I need to do any validation or sanitation on this input?
The page is called error-decoder.php, and it submits to itself, and doesn't interact with a database or anything else. Here is the whole thing:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title></title>
</head>
<body>
<div id="container" style="width: 80%; margin: 0 auto; font-family: sans-serif;">
<form name="error-decoder" action="error-decoder.php" method="post">
<textarea name="error-text-area" style="width: 100%; height: 400px;">
<?php if(!empty($_POST['error-text-area'])){ echo $_POST['error-text-area']; } ?>
</textarea>
<button type="submit" style="float: right;">Decode</button>
</form>
<?php
if(!empty($_POST['error-text-area'])){
?>
<p>Output:</p>
<hr>
<div id="error-output">
<br />
<?php
echo base64_decode($_POST['error-text-area']) . "</div>";
}
?>
</div>
</body>
</html>
Is there anything that needs to be done to make this safe either for the user or for my server? Are there important php.ini settings I need to worry about that would affect your answer? I don't care about errors or garbage except how it might affect security. Thanks for any info on this!
806
When you output to html, you should use htmlspecialchars() to avoid that your data breaks the html. Unless you are outputting html itself of course.
So:
echo htmlspecialchars(base64_decode($_POST['error-text-area']));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
