The forums have permanently moved to forum.kirupa.com. This forum will be kept around in read-only mode for archival purposes. To learn how to continue using your existing account on the new forums, check out this thread.

Results 1 to 3 of 3

Thread: XSS, CSS Prevention

  1. #1

    XSS, CSS Prevention

    Hi,
    I am trying to code a registration script in PHP & Iam even using preg_match & strip_tags, & other such security measures.Someone told me that I should filter metacharacters from user input. Iam using the preg_match for that purpose so that I can disallow or reject unacceptable data. Iam only allowing only numbers, alphabets & space. But still this concerns me. Can anyone please tell me a proper way in the form of the code?

    Thank you in advance.

  2. #2
    sounds like ur doin it right to me, but w/o any code it's anybody's guess
    Let us live so that when we come to die even the undertaker will be sorry. - Mark Twain
    Don't PM me your CSS, xHTML, JS or PHP questions. I will not reply to ANY IE6 questions.

  3. #3

    Hi,
    Thank you very much for the info. Following is the main part of my validation:



    function sanitize($str) {

    $str = trim($str);

    $str = strip_tags($str);

    $str = htmlentities ( trim ( $str ), ENT_QUOTES );

    $str = check_real($str);
    $str = htmlspecialchars($str);
    $str = htmlspecialchars($str);
    $str = htmlspecialchars($str);

    return $str;


    }



    function check_real( $value )
    {
    if( get_magic_quotes_gpc() )
    {
    $value = stripslashes( $value );

    }

    if( function_exists( "mysql_real_escape_string" ) )
    {
    $value = mysql_real_escape_string( $value );

    }

    else
    {
    $value = addslashes( $value );

    }
    return $value;

    }


    function match($str) {
    if (!preg_match("/^[a-zA-Z\ ]+$/", $str)) {
    return false;
    }

    else {
    return true;
    }
    }

    Iam passing all my POST variables through the above 2 functions as soon as I receive them. Even after doing that, it seems that the script is vulnerable to CSS attacks. Kindly advise what I can do.

    Thank you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012