<script> parameter

[raine]

I just started learning about regular expresions and was testing what I wrote to see if it was checking my parameters properly and ran into this problem. When I enter <script> as the parameter to pass, the server sends me a 406, saying that the data is not acceptible. I was wondering if this is by design, or if there is a fix for it.

Thanks

[corbin]

Wait... youre using a script tag for php?
just use

<?php
php code here
?>

[raine]

Oh, no no. My code is all in the <? php ?> tag.
What I meant was I was basically tampering with my own parameters in the URL.

For example, I typed http://<hostname>/page.php?param=<script> and the server gave me a 406. Actually, the string '<script' is already enough to cause the 406. I can't see how my code is giving me a 406 so I thought it might be the server's problem. Just wanted to see what others think and to see if there is a solution.

[wildteen88]

Are you put html/javascript in the url? Why are you tryiung to put html/javascript in the url!

[corbin]

Yeah, that uhhh makes no sense...

[raine]

<script> tags and other URL encoded variants of it are often injected into URL POST/GET parameters to perform XSS attacks on a website.
So I'm trying to come up with some counter measures.

[Chevy]

You could use regex and strip_tags in your varibles of $_GET if they enter it in the URL

[code]
$varible = strip_tags($_GET['url']);
if (!preg_match('/^\w+$/', $varible)) {
echo "Only user letters, numbers and underscores!"; //Thats for what it says haha
}
[/code]

Unless I read your last post wrong and this means nothing to you lol