XSS and HTTP Polloution issue.

[teshiburu]

Morning all,

 

I am quiet a novice when it comes to php, only been coding for about 2-3 months, and I really havent encountered any issues, the site im working on uses parameters in URLS (e.g. test.php?s=222200ssskkk)

 

However when I run my site through Acunetixs i get XSS and HPP issues, I have tried applying some php code to prevent this at the $_GET point on the pages that use the params,

 

this is my code

 

$s = ereg_replace('#\W#', "",htmlentities(substr(strip_tags($_GET['s']),0,50),ENT_QUOTES));

 

however it would appear that acunetix is changing the value of $_GET['s'] before it hits these so the XSS and HTTP p issues still arise?

 

Can anyone advise how i should sanitize this first?

 

also on a similar issue i use the string above to sanitize before saving to mySQL database, yet i still see characters like () :// and such, what have i missed here?

 

Steve

x

[kicken]

A couple things:

 

1) ereg_* functions are deprecated, don't use them.  Use preg_* instead

2) htmlentities() is generally all you really need to prevent XSS.

 

XSS comes from when you echo back user-defined data and doing so allows them to modify the HTML code, such as injecting a script tag.  htmlentities() will take care of that by converting special HTML characters with their entity values so they don't cause problems.

 

So for example whenever you wanted to echo out $_GET['s'] on your page, instead you would do echo htmlentities($_GET['s']);. 

 

Lastly you shouldn't apply htmlentities prior to storing the data into your database.  Instead store the data as-is then apply htmlentities when you output it to your page.