Jump to content

Recommended Posts

Morning all,

 

I am quiet a novice when it comes to php, only been coding for about 2-3 months, and I really havent encountered any issues, the site im working on uses parameters in URLS (e.g. test.php?s=222200ssskkk)

 

However when I run my site through Acunetixs i get XSS and HPP issues, I have tried applying some php code to prevent this at the $_GET point on the pages that use the params,

 

this is my code

 

$s = ereg_replace('#\W#', "",htmlentities(substr(strip_tags($_GET['s']),0,50),ENT_QUOTES));

 

however it would appear that acunetix is changing the value of $_GET['s'] before it hits these so the XSS and HTTP p issues still arise?

 

Can anyone advise how i should sanitize this first?

 

also on a similar issue i use the string above to sanitize before saving to mySQL database, yet i still see characters like () :// and such, what have i missed here?

 

Steve

x

Link to comment
https://forums.phpfreaks.com/topic/274332-xss-and-http-polloution-issue/
Share on other sites

A couple things:

 

1) ereg_* functions are deprecated, don't use them.  Use preg_* instead

2) htmlentities() is generally all you really need to prevent XSS.

 

XSS comes from when you echo back user-defined data and doing so allows them to modify the HTML code, such as injecting a script tag.  htmlentities() will take care of that by converting special HTML characters with their entity values so they don't cause problems.

 

So for example whenever you wanted to echo out $_GET['s'] on your page, instead you would do echo htmlentities($_GET['s']);

 

Lastly you shouldn't apply htmlentities prior to storing the data into your database.  Instead store the data as-is then apply htmlentities when you output it to your page.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.