PHP XSS site scripting prevention

[ILYAS415]

Hi i was reading the forum when i came across the code...

<?php
if (stristr($_SERVER['PHP_SELF'], "'") || stristr($_SERVER['PHP_SELF'], '"') ||
stristr($_SERVER['PHP_SELF'], '<') || stristr($_SERVER['PHP_SELF'], '>') ||
stristr($_SERVER['PHP_SELF'], '/')) {
echo "No XSS today, thank you"; //or any other message
exit();
}
?>

Okay Im just wondering howto use this script. Basically when i put this script into my game site, i put it into a file called functions.php

Every page in my site is includes function.php in its coding (using the function include_once). The script which Helraizer provided, is meant to stop XSS. Unfortuanely when i go on a page which has no XSS or even no $_GET thingy on it it says...

No XSS today, thank you

 

Any help?

[PFMaBiSmAd]

The intent of that code was to "parse" the $_SERVER['PHP_SELF'] to find anything that was injected on the end of the REQUEST_URI (because php is not bothering to parse it, unless they have fixed this now.)

 

Unfortunately, $_SERVER['PHP_SELF'] always contains a / which is what the last stristr(...) is checking for, so that code will always fail with that test in it. You could remove the last stristr(...) test.

[shank888]

The intent of that code was to "parse" the $_SERVER['PHP_SELF'] to find anything that was injected on the end of the REQUEST_URI (because php is not bothering to parse it, unless they have fixed this now.)

 

Unfortunately, $_SERVER['PHP_SELF'] always contains a / which is what the last stristr(...) is checking for, so that code will always fail with that test in it. You could remove the last stristr(...) test.

 

even with that I have found that this script does not work