JAMIE LE SOUËF

Tech Radar has put together a rather simple, but good starting point on what XSS is and how simple it is to avoid it. Worth a read!

Using a good framework such as Zend or Code Igniter helps  . These hardened PHP frameworks have developed security modules for some time and will be better than anything you can come up with in a day.

With Zend, make sure you grab everything using the getParam method in your controller like so;

$this->getRequest()->getParam('yourVar');

This will escape and remove most nasty information from user supplied data. But not everything. Make sure you sanitize the data based on what you expect to receive. If it’s a username, make sure that all non Alphanumeric are removed, same with the password. Phone numbers should only be numbers etc.

PHP’s Filter function is extremely powerful and should be in any good developers arsenal of well understood techniques.  Here is a list of available filters and sanitizers for you to play with;

Sanitize

FILTER_SANITIZE_EMAIL
FILTER_SANITIZE_ENCODED
FILTER_SANITIZE_MAGIC_QUOTES
FILTER_SANITIZE_NUMBER_FLOAT
FILTER_SANITIZE_NUMBER_INT
FILTER_SANITIZE_SPECIAL_CHARS
FILTER_SANITIZE_FULL_SPECIAL_CHARS
FILTER_SANITIZE_STRING
FILTER_SANITIZE_STRIPPED
FILTER_SANITIZE_URL
FILTER_UNSAFE_RAW

Validate

FILTER_VALIDATE_BOOLEAN
FILTER_VALIDATE_EMAIL
FILTER_VALIDATE_FLOAT
FILTER_VALIDATE_INT
FILTER_VALIDATE_IP
FILTER_VALIDATE_REGEXP
FILTER_VALIDATE_URL

If you are google-inept, here is the page on PHP filters