Cross-Site Scripting (XSS) and how to protect yourself against them
12/30/2011
Tech Radar has put together a rather simple, but good starting point on what XSS is and how simple it is to avoid it. Worth a read!
Using a good framework such as Zend or Code Igniter helps . These hardened PHP frameworks have developed security modules for some time and will be better than anything you can come up with in a day.
With Zend, make sure you grab everything using the getParam method in your controller like so;
$this->getRequest()->getParam('yourVar');
This will escape and remove most nasty information from user supplied data. But not everything. Make sure you sanitize the data based on what you expect to receive. If it’s a username, make sure that all non Alphanumeric are removed, same with the password. Phone numbers should only be numbers etc.
PHP’s Filter function is extremely powerful and should be in any good developers arsenal of well understood techniques. Here is a list of available filters and sanitizers for you to play with;
Sanitize
FILTER_SANITIZE_EMAIL FILTER_SANITIZE_ENCODED FILTER_SANITIZE_MAGIC_QUOTES FILTER_SANITIZE_NUMBER_FLOAT FILTER_SANITIZE_NUMBER_INT FILTER_SANITIZE_SPECIAL_CHARS FILTER_SANITIZE_FULL_SPECIAL_CHARS FILTER_SANITIZE_STRING FILTER_SANITIZE_STRIPPED FILTER_SANITIZE_URL FILTER_UNSAFE_RAW
Validate
FILTER_VALIDATE_BOOLEAN FILTER_VALIDATE_EMAIL FILTER_VALIDATE_FLOAT FILTER_VALIDATE_INT FILTER_VALIDATE_IP FILTER_VALIDATE_REGEXP FILTER_VALIDATE_URL
If you are google-inept, here is the page on PHP filters
