Jump to content


Photo

<script> parameter


  • Please log in to reply
6 replies to this topic

#1 raine

raine
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 11 August 2006 - 08:24 AM

I just started learning about regular expresions and was testing what I wrote to see if it was checking my parameters properly and ran into this problem. When I enter <script> as the parameter to pass, the server sends me a 406, saying that the data is not acceptible. I was wondering if this is by design, or if there is a fix for it.

Thanks

#2 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 11 August 2006 - 08:31 AM

Wait... youre using a script tag for php?
just use

<?php
php code here
?>
Why doesn't anyone ever say hi, hey, or whad up world?

#3 raine

raine
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 11 August 2006 - 04:59 PM

Oh, no no. My code is all in the <? php ?> tag.
What I meant was I was basically tampering with my own parameters in the URL.

For example, I typed http://<hostname>/page.php?param=<script> and the server gave me a 406. Actually, the string '<script' is already enough to cause the 406. I can't see how my code is giving me a 406 so I thought it might be the server's problem. Just wanted to see what others think and to see if there is a solution.


#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 11 August 2006 - 05:28 PM

Are you put html/javascript in the url? Why are you tryiung to put html/javascript in the url!

#5 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 11 August 2006 - 05:30 PM

Yeah, that uhhh makes no sense...
Why doesn't anyone ever say hi, hey, or whad up world?

#6 raine

raine
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 11 August 2006 - 10:55 PM

<script> tags and other URL encoded variants of it are often injected into URL POST/GET parameters to perform XSS attacks on a website.
So I'm trying to come up with some counter measures.

#7 Chevy

Chevy
  • Members
  • PipPipPip
  • Advanced Member
  • 163 posts

Posted 11 August 2006 - 11:08 PM

You could use regex and strip_tags in your varibles of $_GET if they enter it in the URL

$varible = strip_tags($_GET['url']);
if (!preg_match('/^\w+$/', $varible)) {
echo "Only user letters, numbers and underscores!"; //Thats for what it says haha
}

Unless I read your last post wrong and this means nothing to you lol




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users