php - Sanitize $_GET parameters to avoid XSS and other attacks -
I have a website in php that contains content (for embedding) in a template page to load Is given in the parameter, I add ".php" at the end of the parameter and include that page I need to do some security check to avoid XSS or other stuff (not because of my SQL injection, because We do not have a database). What have I come up with:
$ page = $ _GET ['page']; If (Stroos (strtolower ($ page), 'http') ||! Strokes ($ page, '/') ||! Strokes ($ page, '\\') ||! Struts ($ page, '. . ')) Attach the ".php" to the {// $ page and include the page
Can I do more to further my input?
$ page = preg_replace ('/ [^ - a-zA-Z0- 9 _ ] / ',' ', $ _GET [' page ']); Which is probably the fastest way to clean it, it will take anything and ensure that it contains only letters, numbers, underscores or dashes.
Comments
Post a Comment