How to avoid XSS Attack or Sanitize the $_GET's KEY parameter via PHP

Question

I just tested a link below, will have XXS attack on IE11.

http://example.net/test/?"*alert(1)*"

I had find many of the way to sanitize the url parameter. Mostly all the solution is sanitize $_GET's value instead of $_GET's key like this url Sanitize $_GET parameters to avoid XSS and other attacks

But above's url i provide when i print_r my $_GET is Array ( ["*alert(1)*"] => )

So can i know how to avoid this kind of attack ? They attack using $_GET's key instead of value.

Thanks lot.

There are various ways to do this, but i would suggest reading up on PHP filter_var http://uk1.php.net/manual/en/function.filter-var.php. It provides an easy way to do exactly what your after — mic, Feb 14 '14 at 08:06
It has nothing to do with key or value. Comes down to you echoing out unsanitized HTML. See reading above, maybe some time on OWASP site too. — ficuscr, Feb 14 '14 at 08:06

score 1 · Answer 1 · answered Feb 14 '14 at 08:11

XSS attacks occurs when printing malicious code but the code should be executable according to HTML and JavaScript rules. for instance, printing *alert(1)* will not issue any alert (will not be executed) if its not properly written. however,

<script>alert(1)</script>

and

<div onclick="alert(1);"...>

Will be executed.

For more detail you can see XSS (Cross Site Scripting) Prevention Cheat Sheet

score 0 · Accepted Answer · answered Feb 24 '14 at 16:42

0

founded my solution, I need rewrite HTACESS to redirect from http call to https. so that in https environment it will prevent xss attack when they type in their url.

answered Feb 24 '14 at 16:42

Mavichow

1,213
17
41

How to avoid XSS Attack or Sanitize the $_GET's KEY parameter via PHP

2 Answers2