Disable XSS(Script execution from input)

12/22/2011 15:31 Angellinho#1

I saw a lot of old search scripts and some register pages that get XSS so easy.
So, to disable in script the tags that can be added, sended from GET or POST, you can use the following code into your PHP Code.

PHP Code:


			
    if(isset($_GET)) $_GET = array_map("strip_tags", $_GET);

    if(isset($_POST)) $_POST = array_map("strip_tags", $_POST);

12/23/2011 14:57 Whoknowsit#2

I use this:

Code:

function cleanUp($data) { 
    $data = stripslashes($data); 
    $data = strip_tags($data); 
    // $data = mysql_real_escape_string($data); 
    return $data; 
}

if(isset($_GET)) $_GET = array_map("cleanUp", $_GET); 
if(isset($_POST)) $_POST = array_map("cleanUp", $_POST);

04/14/2012 23:50 Angellinho#3

Hmm, now I use other one:

Code:

<?php

function mssql_escape($str){ 
    $str = htmlentities($str); 
    if (ctype_alnum($str))  
        return $str; 
    else 
        return str_ireplace(array(';', '%', "'", "--", "<", ">", "&"), "", $str);    
} 

?>

And I`m including it to the php scripts.