When talking about XSS attacks, I remember I was working on a project to detect the existence of XSS attacks. At first, I did not filter the submitted content. Later, foreach cyclically filters every variable $ _ GET... $ _ POST..., and finds no way. Then I had to write a function to directly detect $ _ SERVER [& quot; SERVER_NAME & quot;]. $ _ SERVER [& quot; REQUEST_URI & quot;] judge whether XSS attacks have just been mentioned ..
I remember when I was working on a project, I detected an XSS attack.
At first, I did not filter the submitted content.
Later, foreach cyclically filters every variable $ _ GET... $ _ POST..., and finds no way.
Then I had to write a function to directly detect $ _ SERVER ["SERVER_NAME"]. $ _ SERVER ["REQUEST_URI"] to determine direct exit...
I don't know how everyone handles this problem...
------ Solution --------------------
Htmlspecialchars filtering
------ Solution --------------------
Htmlspecialchars
------ Solution --------------------
Discussion
How to filter all variables $ _ GET? This is useless... I tried it.
Reference:
Htmlspecialchars filtering
------ Solution --------------------
PHP code
"Dsa <>"); foreach ($ array as & $ value) {$ value = htmlspecialchars ($ value);} var_dump ($ array); array (1) {["hello"] => & string (11) "dsa <> "}
------ Solution --------------------
Discussion
You use
Foreach ($ _ GET as & $ value ){
$ Value = htmlspecialchars ($ value );}
So as to filter?
Reference:
Reference:
How to filter all variables $ _ GET? This is useless... I tried it.
Reference:
Htmlspecialchars filtering
It's useless ......
------ Solution --------------------
You can modify these three functions as needed. you can use this method to retrieve the content in the future, whether it is get or post:
$ Variable name = Toget ('parameter name or project name' in the form ');
PHP code
// Function: Get Data // parameter: form name, whether to translate Function Toget ($ __k, $ Slash = True) {IF ($ __k = "") {Return False;} IF (Array_key_exists ($ __k, $ _ REQUEST) {$ Value = IsSet ($ _ POST ["". $ __k. ""])? $ _ POST ["". $ __k. ""]: $ _ GET ["". $ __k. ""];} Else {Return False;} IF (Is_array ($ Value) {$ Value = Array_Filter ($ Value, '_ nul ');} else {$ Value = Trim ($ Value); IF ($ Value = "") {Return False ;}} IF ($ Slash) {$ Value = Addlash ($ Value);} // feedback result IF (Is_array ($ Value) {Return $ Value;} IF ($ Value = "" Or! Isset ($ Value) {Return False;} Else {Return $ Value;} function Addlash ($ Str ){! Defined ('Magic _ QUOTES_GPC ') & Define ('Magic _ QUOTES_GPC', get_magic_quotes_gpc (); IF (! MAGIC_QUOTES_GPC) {IF (Is_array ($ Str) {$ keys = array_keys ($ Str); Foreach ($ keys as $ key) {$ val = $ Str [$ key]; unset ($ Str [$ key]); $ Str [addslashes ($ key)] = Addlash ($ val );}} else {$ Str = addslashes ($ Str) ;}return $ Str ;}// clear null values in the array // Usage: Print_r (Array_Filter ($ Arr, '_ nul'); Function _ nul ($ param) {Return ($ param! = "")? True: False ;}
------ Solution --------------------
Mark this. continue ~
------ Solution --------------------
XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious script code into a Web page. when a user browses this page, the script code embedded in the Web page is executed, this achieves the special purpose of malicious attacks to users. XSS is a passive attack, because it is passive and difficult to use, so many people often ignore its dangers.
The only way for server scripts to prevent XSS attacks is to check whether there is a script mark in the incoming data.
Of course, attackers still have more than n ways to embed malicious code directly in your pages. This is not a problem that can be solved by server scripts.
Simply use htmlspecialchars for processing. it is only suitable for displaying the incoming data as strings.
Because
For the detection algorithm apparently used in #7, it is not the maximum matching algorithm, but a simple inclusion algorithm.
Although there is no big mistake, the false positive rate increases. Rather than kill three thousand by mistake.
------ Solution --------------------
Discussion
Reference:
You use
Foreach ($ _ GET as & amp; $ value ){
$ Value = htmlspecialchars ($ value );}
So as to filter?