Disable XSS(Script execution from input)

Angellinho · 12/22/2011, 15:31

I saw a lot of old search scripts and some register pages that get XSS so easy.
So, to disable in script the tags that can be added, sended from GET or POST, you can use the following code into your PHP Code.

PHP Code:


			
    if(isset($_GET)) $_GET = array_map("strip_tags", $_GET);

    if(isset($_POST)) $_POST = array_map("strip_tags", $_POST);

Whoknowsit · 12/23/2011, 14:57

I use this:

Code:

function cleanUp($data) { 
    $data = stripslashes($data); 
    $data = strip_tags($data); 
    // $data = mysql_real_escape_string($data); 
    return $data; 
}

if(isset($_GET)) $_GET = array_map("cleanUp", $_GET); 
if(isset($_POST)) $_POST = array_map("cleanUp", $_POST);

Angellinho · 04/14/2012, 23:50

Hmm, now I use other one:

Code:

<?php

function mssql_escape($str){ 
    $str = htmlentities($str); 
    if (ctype_alnum($str))  
        return $str; 
    else 
        return str_ireplace(array(';', '%', "'", "--", "<", ">", "&"), "", $str);    
} 

?>

And I`m including it to the php scripts.