oz11 Posted April 16 Share Posted April 16 Hey! ... Is there any problem with using .. $_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_FULL_SPECIAL_CHARS); $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_FULL_SPECIAL_CHARS); I use htmlspecialchars before on all my values already. Think of this as if i missed one. Is it OK? Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/ Share on other sites More sharing options...
requinix Posted April 16 Share Posted April 16 1. Never modify $_GET and $_POST. 2. Never sanitize values ahead of time. 3. Always work with pure, unaltered values, and reserve sanitizing values until the very last step according to what you're doing with those values. So yes, there is a problem with that there. Don't do it. You should only ever be doing two(ish) things: use prepared statements for your SQL, and use htmlspecialchars when outputting an unknown value into HTML. More than that is probably wrong and going to create problems for yourself in the present and/or future. Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621429 Share on other sites More sharing options...
oz11 Posted April 16 Author Share Posted April 16 Oh, i always sanitize my inputs. But this is a bad idea for a fallback? Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621431 Share on other sites More sharing options...
requinix Posted April 16 Share Posted April 16 What "fallback"? It doesn't make sense to have a "fallback". What you're doing is altering the data being passed to your script. You're saying "yes, you did type one thing, but I'm going to change it and pretend you typed something else". There are two basic parts to things like HTML and SQL and JSON and the like: you have the bits with values that you want to fill in (data), and you have the bits that are not data but fundamentally define how the HTML/SQL/JSON works (structure). Sanitization is about making sure that the data stays "data" and never crosses over into "structure". Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621440 Share on other sites More sharing options...
oz11 Posted April 16 Author Share Posted April 16 (edited) Anyway. I should be OK. Covered XSS, SQLi (PDOs and such), and CSRF (using tokens) and hashed everything i should hash with salt 🥳 Edited April 16 by oz11 Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621447 Share on other sites More sharing options...
maxxd Posted April 18 Share Posted April 18 Does that mean that you've made sure you're using prepared statements, nonces for your CSRF, and proper XSS request headers or do you mean you feel fine altering user input because what you have looks like it's working as it is? Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621646 Share on other sites More sharing options...
Danishhafeez Posted April 19 Share Posted April 19 Using filter_input_array with FILTER_SANITIZE_FULL_SPECIAL_CHARS for both $_GET and $_POST can provide an additional layer of security by sanitizing input data. However, keep in mind that it may cause unintended behavior if applied indiscriminately to all input. It's generally considered safe, especially when combined with htmlspecialchars, but ensure it doesn't interfere with any specific requirements or data types in your application. Best Regard Danish Hafeez | QA Assistant ICTInnovations 1 Quote Link to comment https://forums.phpfreaks.com/topic/319921-anti-xss/#findComment-1621792 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.