rfresh Posted April 9, 2011 Share Posted April 9, 2011 My website failed a PCI scan because of cross site scripting. The report gave an example of the code: http://www.mywebsite.com:80/?<SCRIPT>foo</SCRIPT> I don't understand how to code against this security failure. My site has an index.php file so I'm assuming I have to add some code in that file since the domain URL defaults to using that file. I have a sanitize function being used on all the fields coming from the index.php file already. But I guess I'm still missing something. Thanks for any help... Quote Link to comment Share on other sites More sharing options...
raindropz12 Posted April 9, 2011 Share Posted April 9, 2011 Can you post your code? I think you missed htmlentities(). Quote Link to comment Share on other sites More sharing options...
cssfreakie Posted April 9, 2011 Share Posted April 9, 2011 This is a php question as far as I can tell. May I assume you used $_SERVER['PHP_SELF'] somewhere? if so have a look here: http://www.phpro.org/tutorials/PHP-Security.html Let us know if that was what you were looking for Quote Link to comment Share on other sites More sharing options...
rfresh Posted April 9, 2011 Author Share Posted April 9, 2011 >May I assume you used $_SERVER['PHP_SELF'] somewhere? No I'm not using this. My index.php file doesn't take any arguments. As the home page file, it just contains links to get to the other php pages on my site. I think that's what is confusing me here. mywebsite.com?.script.foo.endscript shows up where? Should I just null any $_POST parameters that come from my index.php file? If so, how would I do that? I'm having a hard time understanding what is happening here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.