Securing an old website coded with register_globals turned on!

[omidbrb]

Hello Everyone,

 

I'm facing a website which is quite badly written, with register_globals turned on and I don't have the time to go through the code and secure the website. Do you think including the following code (that works) above every page in the website will secure the website from cross-site scripting attacks?

 

It's actually scanning all _GET and _SET variables that PHP has turned into variables:

 

foreach(array_keys($_GET) as $kk)
{
    $$kk = htmlspecialchars($$kk);
    $$kk = str_replace("shell_exec", "little_bunny", $$kk);
    $$kk = str_replace("exec", "little_bunny", $$kk);
    $$kk = str_replace("javascript", "evil_bunny", $$kk);
}

foreach(array_keys($_POST) as $kk)
{
    $$kk = htmlspecialchars($$kk);
    $$kk = str_replace("shell_exec", "little_bunny", $$kk);
    $$kk = str_replace("exec", "little_bunny", $$kk);
    $$kk = str_replace("javascript", "evil_bunny", $$kk);
}

 

Best,

Omid

[conker87]

I don't see why not?

[omidbrb]

Thanks. Just wanted to make sure I've patched all the doors!

[xcoderx]

Only that bit of code can secure a site? Is that code full?

[omidbrb]

That's exactly what I'm asking. I wrote this piece of code from what I learned about XSS attacks. I don't know what I'm missing.

[xcoderx]

Pmpl ok but i doubt that bit of code can stop xss

[jazz]

It is useless. Completely useless.

[omidbrb]

Definitely. That's why PHP-IDS exists.