input data filtering

Question

anthmaina 0 Light Poster

16 Years Ago

i'm getting a search parameter via $_GET and filtering the input data to prevent cross site scripting using the below code:

$search = array ("'<script[^>]*?>.*?</script>'si", // Strip out javascript
"'<[/!]*?[^<>]*?>'si",
"'>'[^>]*?>.*?</script>'si",
"'%0'[^>]*?>.*?</script>'si", // Strip out HTML tags
"'@'[^>]*?>.*?</script>'si",
"'>'[^>]*?>.*?</script>'si",
"'([rn])[s]+'", // Strip out white space
"'&(quot|#34);'i", // Replace HTML entities
"'&(amp|#38);'i",
"'&(lt|#60);'i",
"'&(gt|#62);'i",
"'&(nbsp|#160);'i",
"'&(iexcl|#161);'i",
"'&(cent|#162);'i",
"'&(pound|#163);'i",
"'&(copy|#169);'i",
"'&#(d+);'e"); // evaluate as php

$replace = array ("",
"",
"\1",
"\"",
"&",
"<",
">",
" ",
chr(161),
chr(162),
chr(163),
chr(169),
"chr(\1)");

$text = preg_replace($search, $replace, $_GET);

But on running acunetix web vulnerability scanner,there still exists some loop holes.I'm using php4 therefore i can't use the inbuild filter functions.Is there another way round to go about input data filteration.

php

2 Contributors
1 Reply
90 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by web_lock

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

web_lock 0 Newbie Poster · Answer 1 · 2008-02-09T15:26:28+00:00

Hmmm... you could try to control it as the client side itself , through javascript.