ILYAS415 Posted December 2, 2007 Share Posted December 2, 2007 Hi i was reading the forum when i came across the code... <?php if (stristr($_SERVER['PHP_SELF'], "'") || stristr($_SERVER['PHP_SELF'], '"') || stristr($_SERVER['PHP_SELF'], '<') || stristr($_SERVER['PHP_SELF'], '>') || stristr($_SERVER['PHP_SELF'], '/')) { echo "No XSS today, thank you"; //or any other message exit(); } ?> Okay Im just wondering howto use this script. Basically when i put this script into my game site, i put it into a file called functions.php Every page in my site is includes function.php in its coding (using the function include_once). The script which Helraizer provided, is meant to stop XSS. Unfortuanely when i go on a page which has no XSS or even no $_GET thingy on it it says... No XSS today, thank you Any help? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 2, 2007 Share Posted December 2, 2007 The intent of that code was to "parse" the $_SERVER['PHP_SELF'] to find anything that was injected on the end of the REQUEST_URI (because php is not bothering to parse it, unless they have fixed this now.) Unfortunately, $_SERVER['PHP_SELF'] always contains a / which is what the last stristr(...) is checking for, so that code will always fail with that test in it. You could remove the last stristr(...) test. Quote Link to comment Share on other sites More sharing options...
shank888 Posted February 22, 2008 Share Posted February 22, 2008 The intent of that code was to "parse" the $_SERVER['PHP_SELF'] to find anything that was injected on the end of the REQUEST_URI (because php is not bothering to parse it, unless they have fixed this now.) Unfortunately, $_SERVER['PHP_SELF'] always contains a / which is what the last stristr(...) is checking for, so that code will always fail with that test in it. You could remove the last stristr(...) test. even with that I have found that this script does not work Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.