Jump to content

XSS attacks... Am I still vunreble if

cs.punk

By cs.punk
in PHP Coding Help

 Share

Recommended Posts

ignace Advanced Member

ignace

Posted
Posted 

I made it so that if it's not a numerical numbers -> redirect the person to the index page...

 

I don't think you are fully aware of what XSS is (http://en.wikipedia.org/wiki/Cross-site_scripting) plus there are many more vulnerabilities to which you have to protect not only your scripts but even your server(s)

cs.punk Advanced Member

cs.punk

Posted
  • Author
Posted

OMG! I am so rude! I asked the question like a moron! I was busy and typing it with my phone... So sorry...

 

To be more specific, what I have is this:

filterget.php

<?php
include "mysqlcon.php";

$con = mysqli_connect("$dbhost", "$dbuser", "$dbpass")
       or die ("Could not connect to database");

if (isset($_GET))
{foreach($_GET as $var => $value )
   {$var = mysqli_real_escape_string($con, strip_tags(trim($value)));
    //Why I do the 'mysqli_real_escape_string' is really stupid and useless
    //But I feel it makes the code 'more secure' although it does not...though maybe.
     if (is_numeric($var))
      {
  }
     else
      {header("Location: /index.php");
      }
   }
}
else
{header("Location: /index.php");
}

?>

 

I include this page where ever I need to recieve $_GET varibles....

 

I made it so that if it's not a numerical numbers -> redirect the person to the index page...

 

I don't think you are fully aware of what XSS is (http://en.wikipedia.org/wiki/Cross-site_scripting) plus there are many more vulnerabilities to which you have to protect not only your scripts but even your server(s)

Uhm I am aware that it takes a 'script' from another domain/source...

 

And uhm, I have

 

strip_tags();on all input I recieve

mysqli_real_escape; Aswell on all input I recieve

I only allow .jpegs to be uploaded...

Uhm how more secure can you be?

 

ignace Advanced Member

ignace

Posted
Posted

Uhm I am aware that it takes a 'script' from another domain/source...

 

That is correct and this is submitted to your website through a form which is passed through POST stored in the database and viewed by unknown users (if these users are authenticated then it is possible to steal their session to impersonate them, even administratives). Ofcourse if you don't have any form on your website (which is unlikely) you should be safe. So cleaning GET only won't suffice.

 

You don't want visitors to know this.. Use a combination of set_error_handler() and trigger_error() or error_log() These are influenced by the display_errors directive, die() is not.

or die ("Could not connect to database");

 

performing strip_tags() on globals will completly disallow submitting html however it is still possible (i think) if using encoding.

 

This is an example of no proper programming:

if (is_numeric($var))
{
}
else
{
header("Location: /index.php");
}

 

For readability modify your code to:

if (!isset($_GET)) {
    header("Location: /index.php");
}

// no else! continue execution
foreach ($_GET ..

cs.punk Advanced Member

cs.punk

Posted
  • Author
Posted

performing strip_tags() on globals will completly disallow submitting html however it is still possible (i think) if using encoding.

Why would I want HTML in my $_GETS?... example.com/posts/post=<h1>This is stupid</h1>

 

This is an example of no proper programming:

if (is_numeric($var))
{
}
else
{header("Location: /index.php");
}

 

No proper programming? The only thing I see fit for passing through GET is IDs of somesort. So the following code, included to a page, will check the value of the GET, if it is something funny like :www.badsite.com/xssattack.php, it will reject it :).

ignace Advanced Member

ignace

Posted
Posted

I would use "intval()" of all values because even if they enter a string of some sort the inval of that is 1.  Be carefull though because the intval of NULL is in fact zero.

 

That is because NULL points to the the memory address 0x00000000 which if translated from hex to integer is 0 and for boolean is false, .. Or atleast something like that, I can't remember the lessons that well ;)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.