Jump to content

Recommended Posts

Hey!

...

Is there any problem with using ..

$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

I use htmlspecialchars before on all my values already. Think of this as if i missed one.

 

Is it OK?

Link to comment
https://forums.phpfreaks.com/topic/319921-anti-xss/
Share on other sites

1. Never modify $_GET and $_POST.
2. Never sanitize values ahead of time.
3. Always work with pure, unaltered values, and reserve sanitizing values until the very last step according to what you're doing with those values.

So yes, there is a problem with that there. Don't do it. You should only ever be doing two(ish) things: use prepared statements for your SQL, and use htmlspecialchars when outputting an unknown value into HTML. More than that is probably wrong and going to create problems for yourself in the present and/or future.

Link to comment
https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621429
Share on other sites

What "fallback"? It doesn't make sense to have a "fallback". What you're doing is altering the data being passed to your script. You're saying "yes, you did type one thing, but I'm going to change it and pretend you typed something else".

There are two basic parts to things like HTML and SQL and JSON and the like: you have the bits with values that you want to fill in (data), and you have the bits that are not data but fundamentally define how the HTML/SQL/JSON works (structure). Sanitization is about making sure that the data stays "data" and never crosses over into "structure".

Link to comment
https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621440
Share on other sites

Using filter_input_array with FILTER_SANITIZE_FULL_SPECIAL_CHARS for both $_GET and $_POST can provide an additional layer of security by sanitizing input data. However, keep in mind that it may cause unintended behavior if applied indiscriminately to all input. It's generally considered safe, especially when combined with htmlspecialchars, but ensure it doesn't interfere with any specific requirements or data types in your application.

Best Regard

Danish Hafeez | QA Assistant

ICTInnovations

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621792
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.