Tom8001 Posted January 30, 2015 Share Posted January 30, 2015 Hello, i am currently working on a project and i have been on google and nothing has helped i am trying to detect characters in the URL so for example XSS if someone typed in the URL: home.php?=<script>document.cookie();</script> OR home.php?=<?php echo file_get_contents("document.txt", "a"); How would i be able to make a kind of firewall to detect this? and if it does then redirect to another page. Thanks. Link to comment https://forums.phpfreaks.com/topic/294273-question/ Share on other sites More sharing options...
BuildMyWeb Posted January 30, 2015 Share Posted January 30, 2015 im not clear on what youre asking. there are all sorts of string functions where you can analyze the string, replace parts, etc: http://php.net/manual/en/function.str-replace.php if you find the string youre looking for, you redirect in php with header('Location: newPage.php'); Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504392 Share on other sites More sharing options...
Tom8001 Posted January 30, 2015 Author Share Posted January 30, 2015 im not clear on what youre asking. there are all sorts of string functions where you can analyze the string, replace parts, etc: http://php.net/manual/en/function.str-replace.php if you find the string youre looking for, you redirect in php with header('Location: newPage.php'); Basically i want to target the URL and if someone tries to use XSS or SQL Injection and enters a keyword like union, <, >, (, ), alert To then redirect them Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504398 Share on other sites More sharing options...
mac_gyver Posted January 30, 2015 Share Posted January 30, 2015 rather than to try and detect every 'bad' thing, current and future, because you will probably leave something out (hackers have huge libraries of exploits), you should instead validate that data only contains values with the format that you expect for that particular type of data. in those cases where the format of data can contain legitimate characters/keywords that could also allow xss or sql injection, a forum post, usernames, ... as examples, the correct way of handling those are to make those characters/keywords completely inert. to prevent xss, you would output content to the browser by passing it through a function like htmlentities. for sql injection, you would escape string data or use prepared queries when using the values in sql query statements. Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504405 Share on other sites More sharing options...
Tom8001 Posted January 30, 2015 Author Share Posted January 30, 2015 rather than to try and detect every 'bad' thing, current and future, because you will probably leave something out (hackers have huge libraries of exploits), you should instead validate that data only contains values with the format that you expect for that particular type of data. in those cases where the format of data can contain legitimate characters/keywords that could also allow xss or sql injection, a forum post, usernames, ... as examples, the correct way of handling those are to make those characters/keywords completely inert. to prevent xss, you would output content to the browser by passing it through a function like htmlentities. for sql injection, you would escape string data or use prepared queries when using the values in sql query statements. Thanks this helped a lot Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504413 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.