I just talked about XSS attacks.

Last Update:2017-05-14 Source: Internet

Author: User

Tags translate function

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

When talking about XSS attacks, I remember I was working on a project to detect the existence of XSS attacks. At first, I did not filter the submitted content. Later, foreach cyclically filters every variable $ _ GET... $ _ POST..., and finds no way. Then I had to write a function to directly detect $ _ SERVER [& quot; SERVER_NAME & quot;]. $ _ SERVER [& quot; REQUEST_URI & quot;] judge whether XSS attacks have just been mentioned ..
I remember when I was working on a project, I detected an XSS attack.

At first, I did not filter the submitted content.

Later, foreach cyclically filters every variable $ _ GET... $ _ POST..., and finds no way.

Then I had to write a function to directly detect $ _ SERVER ["SERVER_NAME"]. $ _ SERVER ["REQUEST_URI"] to determine direct exit...

I don't know how everyone handles this problem...

------ Solution --------------------
Htmlspecialchars filtering
------ Solution --------------------
Htmlspecialchars
------ Solution --------------------
Discussion
How to filter all variables $ _ GET? This is useless... I tried it.

Reference:

Htmlspecialchars filtering

------ Solution --------------------

PHP code

  "Dsa <>"); foreach ($ array as & $ value) {$ value = htmlspecialchars ($ value);} var_dump ($ array); array (1) {["hello"] => & string (11) "dsa <> "}
------ Solution --------------------

  
   Discussion
   

   
You use
   
Foreach ($ _ GET as & $ value ){
   
$ Value = htmlspecialchars ($ value );}
   

   
So as to filter?
   

   

   

   
Reference:
   

   
Reference:
   
How to filter all variables $ _ GET? This is useless... I tried it.
   

   

   
Reference:
   

   
Htmlspecialchars filtering
   

   

   
It's useless ......
   

  
------ Solution --------------------
You can modify these three functions as needed. you can use this method to retrieve the content in the future, whether it is get or post:
$ Variable name = Toget ('parameter name or project name' in the form ');


  
  
   
   
PHP code
   
   // Function: Get Data // parameter: form name, whether to translate Function Toget ($ __k, $ Slash = True) {IF ($ __k = "") {Return False;} IF (Array_key_exists ($ __k, $ _ REQUEST) {$ Value = IsSet ($ _ POST ["". $ __k. ""])? $ _ POST ["". $ __k. ""]: $ _ GET ["". $ __k. ""];} Else {Return False;} IF (Is_array ($ Value) {$ Value = Array_Filter ($ Value, '_ nul ');} else {$ Value = Trim ($ Value); IF ($ Value = "") {Return False ;}} IF ($ Slash) {$ Value = Addlash ($ Value);} // feedback result IF (Is_array ($ Value) {Return $ Value;} IF ($ Value = "" Or! Isset ($ Value) {Return False;} Else {Return $ Value;} function Addlash ($ Str ){! Defined ('Magic _ QUOTES_GPC ') & Define ('Magic _ QUOTES_GPC', get_magic_quotes_gpc (); IF (! MAGIC_QUOTES_GPC) {IF (Is_array ($ Str) {$ keys = array_keys ($ Str); Foreach ($ keys as $ key) {$ val = $ Str [$ key]; unset ($ Str [$ key]); $ Str [addslashes ($ key)] = Addlash ($ val );}} else {$ Str = addslashes ($ Str) ;}return $ Str ;}// clear null values in the array // Usage: Print_r (Array_Filter ($ Arr, '_ nul'); Function _ nul ($ param) {Return ($ param! = "")? True: False ;}
------ Solution --------------------
Mark this. continue ~
------ Solution --------------------
XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious script code into a Web page. when a user browses this page, the script code embedded in the Web page is executed, this achieves the special purpose of malicious attacks to users. XSS is a passive attack, because it is passive and difficult to use, so many people often ignore its dangers.

The only way for server scripts to prevent XSS attacks is to check whether there is a script mark in the incoming data.
Of course, attackers still have more than n ways to embed malicious code directly in your pages. This is not a problem that can be solved by server scripts.
Simply use htmlspecialchars for processing. it is only suitable for displaying the incoming data as strings.
Because
For the detection algorithm apparently used in #7, it is not the maximum matching algorithm, but a simple inclusion algorithm.
Although there is no big mistake, the false positive rate increases. Rather than kill three thousand by mistake.




------ Solution --------------------

    
     Discussion
     

     
Reference:
     

     
You use
     
Foreach ($ _ GET as & amp; $ value ){
     
$ Value = htmlspecialchars ($ value );}
     

     
So as to filter?

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More