php - Sanitize $_GET parameters to avoid XSS and other attacks -


I have a website in php that contains content (for embedding) in a template page to load Is given in the parameter, I add ".php" at the end of the parameter and include that page I need to do some security check to avoid XSS or other stuff (not because of my SQL injection, because We do not have a database). What have I come up with:

  $ page = $ _GET ['page']; If (Stroos (strtolower ($ page), 'http') ||! Strokes ($ page, '/') ||! Strokes ($ page, '\\') ||! Struts ($ page, '. . ')) Attach the ".php" to the {// $ page and include the page  

Can I do more to further my input?

  $ page = preg_replace ('/ [^ - a-zA-Z0- 9 _ ] / ',' ', $ _GET [' page ']); Which is probably the fastest way to clean it, it will take anything and ensure that it contains only letters, numbers, underscores or dashes. 


Comments

Popular posts from this blog

MySql variables and php -

url rewriting - How to implement the returnurl like SO in PHP? -

Which Python client library should I use for CouchdB? -