Everybody! This is important. In a few days, these forums will be moving over to using the totally sweet Discourse platform. To ensure this migration happens smoothly with no loss of content, these forums are currently in a read-only mode. I do apologize for the inconvenience.

There is never a good time to turn the forums off for an extended period of time, but I promise the new forums will be a billion times better. I'm pretty sure of it.

See you all on the other side in a few days, and if you have any (non-technical) questions, please e-mail me at kirupa@kirupa.com. For technical questions, try to find a tutorial that corresponds to what you are looking for and post in the comments section of that page.

Cheers,
Kirupa

Results 1 to 3 of 3

Thread: XSS, CSS Prevention

  1. #1

    XSS, CSS Prevention

    Hi,
    I am trying to code a registration script in PHP & Iam even using preg_match & strip_tags, & other such security measures.Someone told me that I should filter metacharacters from user input. Iam using the preg_match for that purpose so that I can disallow or reject unacceptable data. Iam only allowing only numbers, alphabets & space. But still this concerns me. Can anyone please tell me a proper way in the form of the code?

    Thank you in advance.

  2. #2
    sounds like ur doin it right to me, but w/o any code it's anybody's guess
    Let us live so that when we come to die even the undertaker will be sorry. - Mark Twain
    Don't PM me your CSS, xHTML, JS or PHP questions. I will not reply to ANY IE6 questions.

  3. #3

    Hi,
    Thank you very much for the info. Following is the main part of my validation:



    function sanitize($str) {

    $str = trim($str);

    $str = strip_tags($str);

    $str = htmlentities ( trim ( $str ), ENT_QUOTES );

    $str = check_real($str);
    $str = htmlspecialchars($str);
    $str = htmlspecialchars($str);
    $str = htmlspecialchars($str);

    return $str;


    }



    function check_real( $value )
    {
    if( get_magic_quotes_gpc() )
    {
    $value = stripslashes( $value );

    }

    if( function_exists( "mysql_real_escape_string" ) )
    {
    $value = mysql_real_escape_string( $value );

    }

    else
    {
    $value = addslashes( $value );

    }
    return $value;

    }


    function match($str) {
    if (!preg_match("/^[a-zA-Z\ ]+$/", $str)) {
    return false;
    }

    else {
    return true;
    }
    }

    Iam passing all my POST variables through the above 2 functions as soon as I receive them. Even after doing that, it seems that the script is vulnerable to CSS attacks. Kindly advise what I can do.

    Thank you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012