2014年6月12日 星期四

An easy way to fix SQL injection and XSS

In my current case, I find some PHP codes have flaws in SQL injection and  XSS.

After analyzing the codes, I find that the URL pameters are usual in numeric type.

So, I just add the codes in the PHP file below:

/* Jyun-Yao Huang modified on 2014/06/12: 
* Check the values of $_GET are in numeric type or not.
* If some values are not in numeric type, then set them as null.
* If some values are in numeric, then strip them.
*/
foreach ($_GET as $key => $value) {
if (! is_numeric($value)) {
$_GET[$key] = null;
} else {
$_GET[$key] = mysql_real_escape_string($value);
}
}


沒有留言:

張貼留言