roldahayes Posted May 19, 2010 Share Posted May 19, 2010 Hi, Im trying to sort out a problem with Cross Site Scripting on a basket page we use. We have been told by our security PCI sanning company that the data that needs to be "sanatized" is: // assign variables //echo "ref1:" . $HTTP_REFERER . "<br>"; //$temp = (string)$HTTP_REFERER; //$urlref2 = substr($temp,0,6); //echo "ref:" . $urlref; $urlref = $HTTP_REFERER; $prodID = $_GET['productID']; $delete = $_GET ['delete']; $quantity = $_GET['quantity']; $updateQuantity = $_GET['updateQuantity']; $update = $_GET ['update']; $currency = "£"; // maximum querys per user basket $MAXBASKETQUERY = 25; // start the html table Can anyone suggest the best way to do this please? Quote Link to comment Share on other sites More sharing options...
scampbell Posted May 19, 2010 Share Posted May 19, 2010 mysql_real_escape _string will sanitize data going into MySQL. htmlentities will sanitize any data being displayed on screen. Of course any data being submitted to your site should be validated server side too, before ever being displayed or added to your database. Quote Link to comment Share on other sites More sharing options...
roldahayes Posted May 19, 2010 Author Share Posted May 19, 2010 Thanks, I think the problem is that our basket page displays as: www.domainname.co.uk/basket.php?src=%2Fproduct_page.php&productID=1126538 And this is deemed to be the security risk... is there a way to get it to not display the %2f ?? Quote Link to comment Share on other sites More sharing options...
roldahayes Posted May 19, 2010 Author Share Posted May 19, 2010 Can anyone give an example of how mysql_real_escape _string is applied to the code I posted? Quote Link to comment Share on other sites More sharing options...
scampbell Posted May 19, 2010 Share Posted May 19, 2010 Yeah the manual http://php.net/manual/en/function.mysql-real-escape-string.php $prodID = mysql_real_escape_string($_GET['productID']); assuming it was alphanumberic. If it was only numeric you could just as easily use $prodID = intval($_GET['productID']); edit: %2F is a / character. Just remove that from /product_page.php somewhere in the code. Quote Link to comment Share on other sites More sharing options...
ignace Posted May 19, 2010 Share Posted May 19, 2010 basename Quote Link to comment Share on other sites More sharing options...
roldahayes Posted May 19, 2010 Author Share Posted May 19, 2010 @scampbell, Thanks, Ive removed the part that was creating the %2f Now the URL reads: www.domainname.co.uk/basket.php?src=product_page.php&productID=1126538 Should this now be more secure against XXS injection? Quote Link to comment Share on other sites More sharing options...
scampbell Posted May 19, 2010 Share Posted May 19, 2010 Im no expert on XSS but I believe sanitizing data users have submitted to the site when displaying it in the browser is a good start. Such as using htmlentities($data) when outputting data from the database to the browser. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.