Jump to content


XSS and HTTP Polloution issue.

  • Please log in to reply
1 reply to this topic

#1 teshiburu

  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 11 February 2013 - 11:53 AM

Morning all,

I am quiet a novice when it comes to php, only been coding for about 2-3 months, and I really havent encountered any issues, the site im working on uses parameters in URLS (e.g. test.php?s=222200ssskkk)

However when I run my site through Acunetixs i get XSS and HPP issues, I have tried applying some php code to prevent this at the $_GET point on the pages that use the params,

this is my code

$s = ereg_replace('#\W#', "",htmlentities(substr(strip_tags($_GET['s']),0,50),ENT_QUOTES));

however it would appear that acunetix is changing the value of $_GET['s'] before it hits these so the XSS and HTTP p issues still arise?

Can anyone advise how i should sanitize this first?

also on a similar issue i use the string above to sanitize before saving to mySQL database, yet i still see characters like () :// and such, what have i missed here?


#2 kicken

  • Gurus
  • Wiser? Not exactly.
  • 3,317 posts
  • LocationBonita, FL

Posted 11 February 2013 - 04:36 PM

A couple things:

1) ereg_* functions are deprecated, don't use them.  Use preg_* instead
2) htmlentities() is generally all you really need to prevent XSS.

XSS comes from when you echo back user-defined data and doing so allows them to modify the HTML code, such as injecting a script tag.  htmlentities() will take care of that by converting special HTML characters with their entity values so they don't cause problems.

So for example whenever you wanted to echo out $_GET['s'] on your page, instead you would do echo htmlentities($_GET['s']);

Lastly you shouldn't apply htmlentities prior to storing the data into your database.  Instead store the data as-is then apply htmlentities when you output it to your page.

Did I help you out? Feeling generous? I accept tips via Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7
Kicken's World⦄ ⦃Recycle old CD's

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users