Hello Everyone,
I'm facing a website which is quite badly written, with register_globals turned on and I don't have the time to go through the code and secure the website. Do you think including the following code (that works) above every page in the website will secure the website from cross-site scripting attacks?
It's actually scanning all _GET and _SET variables that PHP has turned into variables:
foreach(array_keys($_GET) as $kk)
{
$$kk = htmlspecialchars($$kk);
$$kk = str_replace("shell_exec", "little_bunny", $$kk);
$$kk = str_replace("exec", "little_bunny", $$kk);
$$kk = str_replace("javascript", "evil_bunny", $$kk);
}
foreach(array_keys($_POST) as $kk)
{
$$kk = htmlspecialchars($$kk);
$$kk = str_replace("shell_exec", "little_bunny", $$kk);
$$kk = str_replace("exec", "little_bunny", $$kk);
$$kk = str_replace("javascript", "evil_bunny", $$kk);
}
Best,
Omid