1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this an effective way to protect a PHP file from all XSS attacks?

Discussion in 'PHP & Perl' started by tacopalypse, Jun 6, 2010.

  1. tacopalypse

    tacopalypse Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 30, 2009
    Messages:
    980
    Likes Received:
    2,485
    Home Page:
    i'm trying to create a very simple form on my site to handle user-inputted data.

    i have an html file with a simple form in it, which submits a piece of text to a php file for processing.

    Code:
    <form action="page2.php" method="post">
    <input type="text" name="data"/>
    <input type="submit" value="Submit"/>
    </form>
    
    before doing anything at all with the user-inputted text, i replace all non-alphanumeric characters with blank spaces.

    Code:
    $x = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST["data"]);
    
    so my question is, does this method effectively prevent all possible xss attacks on the php file?

    would be awesome if someone experienced in white hat hacking could offer their perspective on this :)
     
  2. ru ru

    ru ru Junior Member

    Joined:
    Mar 23, 2009
    Messages:
    109
    Likes Received:
    30
    based on my experience,
    your it's method is very effective.
    because not only you don't allow html tags,
    but also characters which could be used for scripting (ie. ; :)
     
    • Thanks Thanks x 1
  3. ru ru

    ru ru Junior Member

    Joined:
    Mar 23, 2009
    Messages:
    109
    Likes Received:
    30
    and btw, use single quote
    instead of double quote
    when you don't need string processing.

    it's faster.

    eg. 'Hello world!' instead of "Hello world!".
    or "Hello world!\n" --> \n will be processed as new line.
     
    • Thanks Thanks x 1