i'm getting a search parameter via $_GET and filtering the input data to prevent cross site scripting using the below code:

$search = array ("'<script[^>]*?>.*?</script>'si", // Strip out javascript
"'<[/!]*?[^<>]*?>'si",
"'>'[^>]*?>.*?</script>'si",
"'%0'[^>]*?>.*?</script>'si", // Strip out HTML tags
"'@'[^>]*?>.*?</script>'si",
"'>'[^>]*?>.*?</script>'si",
"'([rn])[s]+'", // Strip out white space
"'&(quot|#34);'i", // Replace HTML entities
"'&(amp|#38);'i",
"'&(lt|#60);'i",
"'&(gt|#62);'i",
"'&(nbsp|#160);'i",
"'&(iexcl|#161);'i",
"'&(cent|#162);'i",
"'&(pound|#163);'i",
"'&(copy|#169);'i",
"'&#(d+);'e"); // evaluate as php


$replace = array ("",
"",
"\1",
"\"",
"&",
"<",
">",
" ",
chr(161),
chr(162),
chr(163),
chr(169),
"chr(\1)");

$text = preg_replace($search, $replace, $_GET);

But on running acunetix web vulnerability scanner,there still exists some loop holes.I'm using php4 therefore i can't use the inbuild filter functions.Is there another way round to go about input data filteration.

Hmmm... you could try to control it as the client side itself , through javascript.

This article has been dead for over six months. Start a new discussion instead.