Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2

Thread: Preventing XSS

  1. #1
    Regular Coder
    Join Date
    Jul 2010
    Location
    Sheffield
    Posts
    824
    Thanks
    93
    Thanked 18 Times in 18 Posts

    Preventing XSS

    Ive looked around the internet for ways to prevent XSS attacks and ive found a few things but im curious if theres any "best" method for it what people have used? The site im working on will have a lot of content put into a database by users.

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,341
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    XSS realistically has two main methods.

    One is javascript injection into your pages which can do anything from redirect a user to downloading things to their computer.

    The second is fooling another user on the web into clicking a link so that it is their IP recorded for an action and not the hackers. This is why many people don't like $_REQUEST because it can be abused - EG instead of being forced to click a form on the site it can be turned into a hyperlink and emailed to an unsuspecting user. This is why you must ALWAYS be sure of the data you are processing and check that its coming from where it should be and that its the correct type of data. $_REQUEST is safe to use if you use it properly (EG require someone to be logged in and take other measures such as IP address checking, cookie checking, password verification etc) but if you don't do all of that your system is open to abuse.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •