shank888 Posted February 22, 2008 Share Posted February 22, 2008 Cross Site Scripting (XSS) / SQL injection and form hijacking How do we stop it? Any advice, how to's or codes would be muchly appreciate. Thank You All Quote Link to comment Share on other sites More sharing options...
drisate Posted February 22, 2008 Share Posted February 22, 2008 yeah i asked the almost the same thing. Lets stick to the same thread. http://www.phpfreaks.com/forums/index.php/topic,183615.0.html Quote Link to comment Share on other sites More sharing options...
phpSensei Posted February 22, 2008 Share Posted February 22, 2008 Google: XSS prevention - 1st link Google: Sql Injection - 1st link Google: Hijacking Forms - 1st link http://ha.ckers.org/xss.html http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://www.anders.com/projects/sysadmin/formPostHijacking/ God, I am sick of people asking these stupid questions all the time, I don't care what you guys will say, I know this is a Help Section, but this is no where near wanting help but just for us to go and fetch stuff for you. GOOGLE! argue with me, i dont care. Quote Link to comment Share on other sites More sharing options...
drisate Posted February 22, 2008 Share Posted February 22, 2008 Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one imput/output at the time. Quote Link to comment Share on other sites More sharing options...
shank888 Posted February 22, 2008 Author Share Posted February 22, 2008 Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one at the time. I agree with this. And for the other guy I went to those exact sites. I know what they are. I dont understand what the sites are saying So i came here. If you're soo brilliant maybe you can explain it? Quote Link to comment Share on other sites More sharing options...
phpSensei Posted February 22, 2008 Share Posted February 22, 2008 Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one at the time. I agree with this. And for the other guy I went to those exact sites. I know what they are. I dont understand what the sites are saying So i came here. If you're soo brilliant maybe you can explain it? What they are? Just read the damn page, XSS is malicious code inserted into vulnerable parts of your site, like a form. Its usually HTML code that can be viewed by other members, or client-side scripts. And what can i say about Sql injection other then someone breaking your query, by finding unprotected HTTP vars, or even forms.. http://en.wikipedia.org/wiki/SQL_injection http://en.wikipedia.org/wiki/Cross-site_scripting Quote Link to comment Share on other sites More sharing options...
mainewoods Posted February 22, 2008 Share Posted February 22, 2008 if your version of php supports it, one easy thing you can do is use the 7nth parameter of setcookie ($httponly) so that the cookie is not accessable by javascript: setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] ) http://us3.php.net/manual/en/function.setcookie.php not all browsers implement the httponly cookie feature right now, but I expect more and more will and it would stop all current xss attack methods in their tracks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.