Jump to content

Question

Tom8001

By Tom8001
in PHP Coding Help

 Share
Go to solution Solved by mac_gyver,

Recommended Posts

Tom8001 Member

Tom8001

Posted
Posted

Hello, i am currently working on a project and i have been on google and nothing has helped i am trying to detect characters in the URL so for example XSS if someone typed in the URL:

home.php?=<script>document.cookie();</script>

OR

home.php?=<?php echo file_get_contents("document.txt", "a");

How would i be able to make a kind of firewall to detect this?

 

and if it does then redirect to another page.

 

Thanks.

Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted (edited)

im not clear on what youre asking. 

 

there are all sorts of string functions where you can analyze the string, replace parts, etc: http://php.net/manual/en/function.str-replace.php

 

if you find the string youre looking for, you redirect in php with header('Location: newPage.php');

Basically i want to target the URL and if someone tries to use XSS or SQL Injection and enters a keyword like 

union, <, >, (, ), alert

To then redirect them

Edited by Tom8001
Link to comment
Share on other sites
  • Solution
mac_gyver Prolific Member

mac_gyver

Posted
  • Solution
Posted

rather than to try and detect every 'bad' thing, current and future, because you will probably leave something out (hackers have huge libraries of exploits), you should instead validate that data only contains values with the format that you expect for that particular type of data.

 

in those cases where the format of data can contain legitimate characters/keywords that could also allow xss or sql injection, a forum post, usernames, ... as examples, the correct way of handling those are to make those characters/keywords completely inert. to prevent xss, you would output content to the browser by passing it through a function like htmlentities. for sql injection, you would escape string data or use prepared queries when using the values in sql query statements.

  • Like 1
Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted

rather than to try and detect every 'bad' thing, current and future, because you will probably leave something out (hackers have huge libraries of exploits), you should instead validate that data only contains values with the format that you expect for that particular type of data.

 

in those cases where the format of data can contain legitimate characters/keywords that could also allow xss or sql injection, a forum post, usernames, ... as examples, the correct way of handling those are to make those characters/keywords completely inert. to prevent xss, you would output content to the browser by passing it through a function like htmlentities. for sql injection, you would escape string data or use prepared queries when using the values in sql query statements.

Thanks this helped a lot :)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.