A
Anonymous
Guest
Of course it depends on situation(in ex: of vulnerability)
But i think if you encode that characters: in ex: htmlentities($data)
& will become &
< will become as < > > etc.
It depends on you how your script pulls it back to user.(if it is htmlentiti'ed) it is safe from XSS and user browser will not render it as it displayed on user browser:
In ex:
It is safe for now: <script>alert(document.cookie);</script>
WIth SQL iinjections:
Here is my custom function
pass your string to this function by refenrence and that all it will sanitize it to you)
[/code]
And it is a bit safer than using preg_* functions (theris a minimal chance to bypass that filtering)
Also use mysql_real_escape_string() when you are going to deal with MYSQL QUERIES.
If you expect to get int force it to be int
like:
This is a just example.
Output: -999 (We prevented that malicious request using this way)
I would like to say again it depends on situation how to handle and secure your application.
Never Trust To CLient Side! Thats all)
But i think if you encode that characters: in ex: htmlentities($data)
& will become &
< will become as < > > etc.
It depends on you how your script pulls it back to user.(if it is htmlentiti'ed) it is safe from XSS and user browser will not render it as it displayed on user browser:
In ex:
Code:
<?php
$data=htmlentities('<script>alert(document.cookie);</script>');
echo $data;
//<script>alert(document.cookie);</script>
?>WIth SQL iinjections:
Here is my custom function
Code:
<?php
error_reporting('OFF');
define ("INTERNAL","antisqlinjectionmodule");
function sanitize(&$string,$die=1)
{
$dummy=$string;
$blacklisted=array("%","'","$","--","/*","*","union","select","-",
"order",",","0x","/",
"where","concat","concat_ws","group_concat",
"information_schema","tables","columns",
"hex","table_name","column_name","distinct",
"/*!","*/","into","load_file",
"outfile","truncate","drop",
"delete",";","+","substr","update",
"schemata","mysql","convert","using","char","?","$","`","|",
"\\","=","and","(","from",")",
".","null","table","dumpfile","php",
"<",">","eval","script","alert",'"','javascript','char','latin1','benchmark');
if (empty($string))@header("Location: index.php");
foreach ($blacklisted as $black)
{if ($die==0){
if(strlen(str_ireplace($black,'',$string)) !==strlen($dummy) || strlen($string)==0)@header("Location: " . "/index.php");
}
else
{
$string=str_ireplace($black,'',$string); //sanitization
$badcharsdetected=str_ireplace($string,'',$dummy);
}
}
unset($black);
}pass your string to this function by refenrence and that all it will sanitize it to you)
[/code]
And it is a bit safer than using preg_* functions (theris a minimal chance to bypass that filtering)
Also use mysql_real_escape_string() when you are going to deal with MYSQL QUERIES.
If you expect to get int force it to be int
like:
This is a just example.
Code:
<?php
$maycomefromhacker='-999+Un/**/IoN+sEL/**/ECT+1,2,user,4,5,6+Fr/!*Om*/+mYsql.UsEr--';
$maycomefromhacker=(int)$maycomefromhacker;
echo $maycomefromhacker;
?>Output: -999 (We prevented that malicious request using this way)
I would like to say again it depends on situation how to handle and secure your application.
Never Trust To CLient Side! Thats all)