1
I’m on a project of a website, I did data processing using PDO and so I thought it was all ok.
However recently I did a test with Acunetix and the error result was level 4, XSS was the most accused.
So thinking about it, I did a lot of research and started filtering all the data, GET, POST, SERVER.
Example
E Seguro desta forma?
$method_req = filter_input(INPUT_SERVER, 'REQUEST_METHOD', FILTER_SANITIZE_STRING);
$req_referer = filter_input(INPUT_SERVER, 'HTTP_REFERER', FILTER_SANITIZE_STRING);
if($method_req == 'POST'){
header('Location: '.$req_referer);
}
$url_reqhost = filter_input(INPUT_SERVER, 'HTTP_HOST', FILTER_SANITIZE_STRING);
$url_req_url = filter_input(INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_STRING);
$URL_ATUAL = "https://".$url_reqhost.$url_req_url;
$filtrar_estilo = filter_input(INPUT_POST, 'estilo', FILTER_SANITIZE_STRING);
Summarizing what I’ve done for safety:
- Use of PDO
- Character limitation . htaccess ('," etc., passes only letters and numbers)
- Blocking direct access of . php
- Data filter POST/GET/SERVER
What I need
- What I need most at the moment and tips and ideas to complement my code, especially in this get/post security issue.
- And Necessary to filter Session?
- What is the best filter to validate FILTER_SANITIZE_STRING data? (the project will never receive quotes or anything like letters and numbers only)
Everything is in the central theme of the post (filter information)
– Gabriel
Besides, I do a str_replace and shoot unwanted characters. when I have a fileupload valid the contents of the file so that can only be uploaded images or pdf
– Jasar Orion