I believe I read all the related threads appeared to me when I was writing the title.
In short, I have used almost ALL the PHP functions to sanitize the user's input, yet I still fail to stop a simple XSS test to be executed.
The code which I'm trying to secure is as follows:
$keyword = $_POST['biz'];
$keyword = strip_tags($keyword); //this
$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
$keyword = addslashes(str_replace("<", "HELLO", $keyword)); //this
$myFilter = new InputFilter(); //this
$keyword = $myFilter->process($_POST['biz']); //this
if($keyword=="")
$query="select * from `business` order by business_id DESC LIMIT 0,20";
else
However, non of the functions does what it is supposed to do on the variable $keyword
Two possibilities: *I have no what I'm doing. *The XSS test fails, yet it doesn't mean that a person can use it to harm !!?
The test I used is simple (in the search field of th page): `">alert(document.cookie);" or through the URL, same result in both, a popup with the cookie shows.
What Am I doing wrong, been into this since couple of days.
PS Even installed Mod_security2 on server and it didn't do the job ( Or I didn't configure properly) !!
在输出之前,用htmlspecialchars()
包装用户指定的所有内容。
It looks to me like you're doing all that hard work processing the the form, and then loosing it a few moments later
Here you've done some processing to $_POST['biz']:
$keyword = $_POST['biz'];
$keyword = strip_tags($keyword); //this
$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
$keyword = addslashes(str_replace("<", "HELLO", $keyword)); //this
And here you set it equal to something else entirely:
$keyword = $myFilter->process($_POST['biz']); //this
Its possible that line should instead be:
$keyword = $myFilter->process($keywork);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.