How to prevent XSS in my site?

Question

I believe I read all the related threads appeared to me when I was writing the title.

In short, I have used almost ALL the PHP functions to sanitize the user's input, yet I still fail to stop a simple XSS test to be executed.

The code which I'm trying to secure is as follows:

    $keyword = $_POST['biz'];
    $keyword = strip_tags($keyword); //this
$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
$keyword = addslashes(str_replace("<", "HELLO", $keyword)); //this

$myFilter = new InputFilter(); //this
$keyword = $myFilter->process($_POST['biz']); //this
if($keyword=="")
$query="select * from `business` order by business_id DESC LIMIT 0,20";
else

However, non of the functions does what it is supposed to do on the variable $keyword

Two possibilities: *I have no what I'm doing. *The XSS test fails, yet it doesn't mean that a person can use it to harm !!?

The test I used is simple (in the search field of th page): `">alert(document.cookie);" or through the URL, same result in both, a popup with the cookie shows.

What Am I doing wrong, been into this since couple of days.

PS Even installed Mod_security2 on server and it didn't do the job ( Or I didn't configure properly) !!

Answer 1

在输出之前，用htmlspecialchars()包装用户指定的所有内容。

Answer 2

It looks to me like you're doing all that hard work processing the the form, and then loosing it a few moments later

Here you've done some processing to $_POST['biz']:

$keyword = $_POST['biz'];
    $keyword = strip_tags($keyword); //this
$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
$keyword = addslashes(str_replace("<", "HELLO", $keyword)); //this

And here you set it equal to something else entirely:

$keyword = $myFilter->process($_POST['biz']); //this

Its possible that line should instead be:

$keyword = $myFilter->process($keywork);