Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Php filter (Security)

Started by VakhoQ, Feb 24 2011 07:48 AM

Please log in to reply

10 replies to this topic

#1
VakhoQ

Posted 24 February 2011 - 07:48 AM

Programmer

Members
127 posts

I want to safe my web page from XSS attacks. So i'm going to filter my web page.

I made this:
if i find "<", i will change it to <.
if i find ">", i will change it to >.


<?php

function something($string){

$search = array('<', '>');

$replace = array('<', '>'); 

return str_replace($search, $replace, $string); 

}

$string = '<script> code here </script>';

echo something($string);

?>

Everithing is all right. now, for example, hacker is tring to Hack my web page. he will
convert "<script> code </script>" to hex or base64 or Decimal. Will my script work in this situation? its interesting for me...

Character Encoding Calculators Web pages:
XSS (Cross Site Scripting) Cheat Sheet (on the bottom of the page)
Surrogate Pair Calculator etc.

GNU/Linux Is the Best.

#2
strider96

Posted 24 February 2011 - 09:40 AM

Newbie

Members
7 posts

What you are basically doing is making it harder for a human to read.

It's very easy to convert your script back to the original format.

If you really want protection I suggest you use:
Ioncube or SourceGuardian (Google is your Friend.)

#3
VakhoQ

Posted 24 February 2011 - 09:53 AM

Programmer

Members
127 posts

I hope there are people , on the porum, who can help me =))

GNU/Linux Is the Best.

#4
Orjan

Posted 24 February 2011 - 10:40 AM

Writes binary right handed and hex left handed

Moderators
3,299 posts

Location:Karlstad, Sweden
Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
Learning:Java, C#

there are even better way, look up PHP: htmlentities - Manual ! it converts all you need for this purpose...

__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall

#5
Orjan

Posted 24 February 2011 - 10:44 AM

Writes binary right handed and hex left handed

Moderators
3,299 posts

Location:Karlstad, Sweden
Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
Learning:Java, C#

strider96 said:

You don't seem to understand it's purpose?

__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall

#6
VakhoQ

Posted 24 February 2011 - 01:06 PM

Programmer

Members
127 posts

thank you for advices. :)
is htmlentities() enough? for example for:
base64? (Ij48c2NyaXB0PmFsZXJ0KC9oYWNraW5nIGF0dGVtcHQvKTwvc2NyaXB0PiA=)
hex? ...

GNU/Linux Is the Best.

#7
Orjan

Posted 24 February 2011 - 01:10 PM

Writes binary right handed and hex left handed

Moderators
3,299 posts

Location:Karlstad, Sweden
Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
Learning:Java, C#

Yes, it removes output of valid HTML inside the string and makes it printed instead of parsed when stored or re-echoed to the page

__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall

#8
VakhoQ

Posted 24 February 2011 - 01:19 PM

Programmer

Members
127 posts

thanks a lot ;)

GNU/Linux Is the Best.

#9
Alexander

Posted 24 February 2011 - 05:01 PM

It's Science!

Moderators
4,124 posts

Location:Vancouver, Eh! Cleverness: 200

htmlentities converts things such as ' to ' which is not all required for security, you can get away with the htmlspecialchars command if that is relevant to you.

The links you linked to relate to something else, such as allowing user HTML and filtering out bad HTML, the XSS cheatsheet can provide vectors to bypass HTML filtering, but you are not allowing HTML at all, so it is not needed.

Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.