I've noticed a common problems

[shank888]

Cross Site Scripting (XSS) / SQL injection and form hijacking

 

How do we stop it?

 

Any advice, how to's or codes would be muchly appreciate.

 

Thank You All

[drisate]

yeah i asked the almost the same thing. Lets stick to the same thread.

http://www.phpfreaks.com/forums/index.php/topic,183615.0.html

[phpSensei]

Google: XSS prevention - 1st link

Google: Sql Injection - 1st link

Google: Hijacking Forms - 1st link

 

http://ha.ckers.org/xss.html

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

http://www.anders.com/projects/sysadmin/formPostHijacking/

 

God, I am sick of people asking these stupid questions all the time, I don't care what you guys will say, I know this is a Help Section, but this is no where near wanting help but just for us to go and fetch stuff for you.

 

GOOGLE!

 

argue with me, i dont care.

[drisate]

Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one imput/output at the time.

[shank888]

Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one at the time.

 

I agree with this.

 

And for the other guy I went to those exact sites. I know what they are. I dont understand what the sites are saying So i came here.

If you're soo brilliant maybe you can explain it?

[phpSensei]

Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one at the time.

 

I agree with this.

 

And for the other guy I went to those exact sites. I know what they are. I dont understand what the sites are saying So i came here.

If you're soo brilliant maybe you can explain it?

 

What they are? Just read the damn page, XSS is malicious code inserted into vulnerable parts of your site, like a form. Its usually HTML code that can be viewed by other members, or client-side scripts.

 

And what can i say about Sql injection other then someone breaking your query, by finding unprotected HTTP vars, or even forms..

 

http://en.wikipedia.org/wiki/SQL_injection

http://en.wikipedia.org/wiki/Cross-site_scripting

[mainewoods]

if your version of php supports it, one easy thing you can do is use the 7nth parameter of setcookie ($httponly) so that the cookie is not accessable by javascript:

setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] )

http://us3.php.net/manual/en/function.setcookie.php

 

not all browsers implement the httponly cookie feature right now, but I expect more and more will and it would stop all current xss attack methods in their tracks.