-1

I've tried the code below but it seems the javascript is run before the http request is sent to the server.

thanks

<?php

class secure
{
    function secureSuperGlobalGET(&$value, $key)
    {
        $_GET[$key] = htmlspecialchars(stripslashes($_GET[$key]));
        $_GET[$key] = str_ireplace("script", "blocked", $_GET[$key]);
        $_GET[$key] = mysql_escape_string($_GET[$key]);
        return $_GET[$key];
    }

    function secureSuperGlobalPOST(&$value, $key)
    {
        $_POST[$key] = htmlspecialchars(stripslashes($_POST[$key]));
        $_POST[$key] = str_ireplace("script", "blocked", $_POST[$key]);
        $_POST[$key] = mysql_escape_string($_POST[$key]);
        return $_POST[$key];
    }

    function secureGlobals()
    {
        echo "in here";
        array_walk($_GET, array($this, 'secureSuperGlobalGET'));
        array_walk($_POST, array($this, 'secureSuperGlobalPOST'));
    }
}

?>
mrjayviper
  • 2,258
  • 11
  • 46
  • 82
  • 2
    Not sure what you're trying to do here. You're just mangling those poor strings beyond recognition :) Always escape for the task at hand *only*. Can you clarify what you are trying to prevent in what context? – Pekka Feb 26 '13 at 00:41
  • 1
    See [The ultimate clean/secure function](http://stackoverflow.com/q/4223980) – Pekka Feb 26 '13 at 00:42
  • How are you using the values afterwards? Are you storing them in your database or printing them to the user? – Explosion Pills Feb 26 '13 at 00:42
  • If something is happening before the request is sent to the server, you need to post the HTML/Javascript code. – Barmar Feb 26 '13 at 01:06

2 Answers2

0
  1. get rid of your class "secure"
  2. use mysql_[real_]escape_string only for the value that is gong into SQL query as a quoted string
  3. whatever else SQL parts have to be formatted according to their role.
  4. Format SQL parts right before assembling the query, not anywhere else.
  5. or better use placeholders for this

Finally, to answer your question: use htmlspecialchars() on user-submitted values when echoing them out.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

If the Javascript is run before the code returns to the server, than this is most likely some form of DOM Based XSS. The Javascript may be pulling the value of /"><script>alert(1)</script> and placing it directly into the DOM. You may have to change the way this is handled on the client side.

OWASP has a fantastic overview on how to defend against DOM based cross-site scripting attacks, such as these, here: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

eliteparakeet
  • 739
  • 1
  • 5
  • 14