Geek Answers Handbook

Server Side Scripting Prevention, XSS

Are there any ready-made scripts that I can use for PHP / MySQL to prevent server side scripting and JS injection?

I know about typical functions like htmlentities, special characters, line replacements, etc., but is there a simple bit of code or a function that fails for everything?

Any ideas would be great. Many thanks:)

EDIT: Something in common that removes anything that could be dangerous, i.e. more / less characters, half colonies, words like "DROP", etc.

Basically, I just want to compress everything to be alphanumeric, I think ...?

+5
source share
7

- HTML, htmlspecialchars(), . , , XSS.

, , .

function h(s) { return htmlspecialchars(s); }

htmlspecialchars() , 100 PHP. , htmlentities() .

: , . , .

HTML - , , , . - . , .

URL- - , , , (?, &, =, #). - : . , .

URL-, HTML, ( URL- HTML), .

- . , . , - (, URL- <a href> HTML-), , . XSS , : ) , / (.. "" ) ) , , .

XSS , a) b).

+4

, Google-caja . taint Java- XSS . PHP. , caja -.

+3

, . , , -, ( )

+1

, ?

.

, PHP, / , . / , PHP.

.

+1

OWASP, XSS:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

js-, , :

https://www.opensource-excellence.com/shop/ose-security-suite.html

js , . , , , .

, php script js-, , :

if (preg_match ('/(?: [ ".] script\s *() | (?:\$\ $?\s * (\ s * [\ w" ]) | (?:/[\ \s] +/) | (:.? =\s */\ +/\ *) | (:(?: | | | | | | ) [.?\s * [(, "]\s [\ w\$]) | (?:,\s * new\s +\w +\s * [,;)/ms ', strtolower ($ POST [' VARIABLENAME '] )))                   {                       filter_variable ($ POST [ 'VARIABLENAME']);                   }

0

: , <>, XSS.
htmlspecialchars() .

DROP table ;)

-1

to use clean users html_special_chars(); str_replace()and other functions for cutting unsafe data.

-3
source

More articles:


All Articles