Tom8001 Posted January 30, 2015 Share Posted January 30, 2015 Hello, i am currently working on a project and i have been on google and nothing has helped i am trying to detect characters in the URL so for example XSS if someone typed in the URL: home.php?=<script>document.cookie();</script> OR home.php?=<?php echo file_get_contents("document.txt", "a"); How would i be able to make a kind of firewall to detect this? and if it does then redirect to another page. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/294273-question/ Share on other sites More sharing options...
BuildMyWeb Posted January 30, 2015 Share Posted January 30, 2015 im not clear on what youre asking. there are all sorts of string functions where you can analyze the string, replace parts, etc: http://php.net/manual/en/function.str-replace.php if you find the string youre looking for, you redirect in php with header('Location: newPage.php'); Quote Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504392 Share on other sites More sharing options...
Tom8001 Posted January 30, 2015 Author Share Posted January 30, 2015 (edited) im not clear on what youre asking. there are all sorts of string functions where you can analyze the string, replace parts, etc: http://php.net/manual/en/function.str-replace.php if you find the string youre looking for, you redirect in php with header('Location: newPage.php'); Basically i want to target the URL and if someone tries to use XSS or SQL Injection and enters a keyword like union, <, >, (, ), alert To then redirect them Edited January 30, 2015 by Tom8001 Quote Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504398 Share on other sites More sharing options...
Solution mac_gyver Posted January 30, 2015 Solution Share Posted January 30, 2015 rather than to try and detect every 'bad' thing, current and future, because you will probably leave something out (hackers have huge libraries of exploits), you should instead validate that data only contains values with the format that you expect for that particular type of data. in those cases where the format of data can contain legitimate characters/keywords that could also allow xss or sql injection, a forum post, usernames, ... as examples, the correct way of handling those are to make those characters/keywords completely inert. to prevent xss, you would output content to the browser by passing it through a function like htmlentities. for sql injection, you would escape string data or use prepared queries when using the values in sql query statements. 1 Quote Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504405 Share on other sites More sharing options...
Tom8001 Posted January 30, 2015 Author Share Posted January 30, 2015 rather than to try and detect every 'bad' thing, current and future, because you will probably leave something out (hackers have huge libraries of exploits), you should instead validate that data only contains values with the format that you expect for that particular type of data. in those cases where the format of data can contain legitimate characters/keywords that could also allow xss or sql injection, a forum post, usernames, ... as examples, the correct way of handling those are to make those characters/keywords completely inert. to prevent xss, you would output content to the browser by passing it through a function like htmlentities. for sql injection, you would escape string data or use prepared queries when using the values in sql query statements. Thanks this helped a lot Quote Link to comment https://forums.phpfreaks.com/topic/294273-question/#findComment-1504413 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.