0

Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site

I have a php board but it contains XSS security leaks.

If I insert following XSS in url address field in the IE6,

http://x.x.x.x/xe/?mid=notice&category='"--></style></script><script>alert(0x000640)</script> (here '"--></style></script><script>alert(0x000640)</script> is a XSS code)

the browser shows alert message with 1600 (it translate the above code as script)

to prevent XSS, i inserted following codes (if(preg_match('/"/',$target)) return true; )

function _isHackedSrc($src) {  
    if(!$src) return false;  
    if($src) {  
     $target = trim($src);  
     if(preg_match('/(\s|(\&\#)|(script:))/i', $target)) return true;  
     if(preg_match('/data:/i', $target)) return true;  

        $url_info = parse_url($src);  
        $query = $url_info['query'];  
     if(!trim($query)) return false;  
     $query = str_replace("&amp;","&",$query);  
        $queries = explode('&', $query);  
        $cnt = count($queries);  
        for($i=0;$i<$cnt;$i++) {  
            $tmp_str = strtolower(trim($queries[$i]));  
            $pos = strpos($tmp_str,'=');  
            if($pos === false) continue;  
            $key = strtolower(trim(substr($tmp_str, 0, $pos)));      
            $val = strtolower(trim(substr($tmp_str,$pos+1)));  
            if( ($key=='module'&&$val=='admin') || ($key=='act'&&preg_match('/admin/i',$val)) ) return true;  
        }
    }
    return false;
}

but it dosent work. please help me

Community
  • 1
  • 1
user1349407
  • 612
  • 3
  • 13
  • 28

2 Answers2

1

Do not try checking any input for malicious stuff - it's fight you always lose.

Instead you need to properly escape any input. For HTML the proper function is htmlspecialchars().

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
-4

Try this:

function _isHackedSrc($src) {  
    $src=trim(strip_tags(addslashes($src))); 
    ....
}

More info: http://r00tsecurity.org/forums/topic/9924-workaround-strip-tags-and-addslashes-in-the-xss/

Lobo
  • 4,001
  • 8
  • 37
  • 67
  • 1
    Why would anyone use `addslashes` First of all, he might just output the data and not use it in a query. Second, `addslashes` is **always** bad for queries. You **must** use the escaping function that is appropriate for the used database, e.g. `mysql_real_escape_string` in case of MySQL with the `mysql` API. `strip_tags` is also bad; it breaks any use of `<`. Those characters should be *escaped*, not *removed*. – ThiefMaster Sep 07 '12 at 11:04
  • With addslashes you get around the problem of the quotes. And user1349407 is intended to prevent XSS attacks in the input parameter. With the line of code I pueto this attack is avoided. – Lobo Sep 07 '12 at 11:06
  • 1
    But in a completely wrong way that breaks stuff and leaves SQL injection holes open - and if you perform escaping for the DB again you'll have backslashes in your actual data. (You should consider deleting this answer, it is extremely wrong and bad and will just earn you more downvotes) – ThiefMaster Sep 07 '12 at 11:08
  • it makes appropriate url links to not-work,,, – user1349407 Sep 07 '12 at 11:12
  • I disagree with you @ThiefMaster. Obviously to avoid SQL Injection must do more than I have indicated, but I still think that what I have is a valid solution for the particular problem that the user has described. – Lobo Sep 07 '12 at 11:13
  • ThiefMaster, the problem is not-related to SQL-injection.. – user1349407 Sep 07 '12 at 11:15
  • this is about xss which related to script inserted on url address – user1349407 Sep 07 '12 at 11:15