roldahayes Posted May 19, 2010 Share Posted May 19, 2010 Hi, Im trying to sort out a problem with Cross Site Scripting on a basket page we use. We have been told by our security PCI sanning company that the data that needs to be "sanatized" is: // assign variables //echo "ref1:" . $HTTP_REFERER . "<br>"; //$temp = (string)$HTTP_REFERER; //$urlref2 = substr($temp,0,6); //echo "ref:" . $urlref; $urlref = $HTTP_REFERER; $prodID = $_GET['productID']; $delete = $_GET ['delete']; $quantity = $_GET['quantity']; $updateQuantity = $_GET['updateQuantity']; $update = $_GET ['update']; $currency = "£"; // maximum querys per user basket $MAXBASKETQUERY = 25; // start the html table Can anyone suggest the best way to do this please? Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/ Share on other sites More sharing options...
scampbell Posted May 19, 2010 Share Posted May 19, 2010 mysql_real_escape _string will sanitize data going into MySQL. htmlentities will sanitize any data being displayed on screen. Of course any data being submitted to your site should be validated server side too, before ever being displayed or added to your database. Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060436 Share on other sites More sharing options...
roldahayes Posted May 19, 2010 Author Share Posted May 19, 2010 Thanks, I think the problem is that our basket page displays as: www.domainname.co.uk/basket.php?src=%2Fproduct_page.php&productID=1126538 And this is deemed to be the security risk... is there a way to get it to not display the %2f ?? Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060438 Share on other sites More sharing options...
roldahayes Posted May 19, 2010 Author Share Posted May 19, 2010 Can anyone give an example of how mysql_real_escape _string is applied to the code I posted? Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060447 Share on other sites More sharing options...
scampbell Posted May 19, 2010 Share Posted May 19, 2010 Yeah the manual http://php.net/manual/en/function.mysql-real-escape-string.php $prodID = mysql_real_escape_string($_GET['productID']); assuming it was alphanumberic. If it was only numeric you could just as easily use $prodID = intval($_GET['productID']); edit: %2F is a / character. Just remove that from /product_page.php somewhere in the code. Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060459 Share on other sites More sharing options...
ignace Posted May 19, 2010 Share Posted May 19, 2010 basename Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060463 Share on other sites More sharing options...
roldahayes Posted May 19, 2010 Author Share Posted May 19, 2010 @scampbell, Thanks, Ive removed the part that was creating the %2f Now the URL reads: www.domainname.co.uk/basket.php?src=product_page.php&productID=1126538 Should this now be more secure against XXS injection? Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060474 Share on other sites More sharing options...
scampbell Posted May 19, 2010 Share Posted May 19, 2010 Im no expert on XSS but I believe sanitizing data users have submitted to the site when displaying it in the browser is a good start. Such as using htmlentities($data) when outputting data from the database to the browser. Link to comment https://forums.phpfreaks.com/topic/202235-need-help-to-sanatize-a-url/#findComment-1060623 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.