All,
I have some code in a standard Nuke install. This code is in mainfile.php
which is included in every file. Is this preventing injections ? Is there a
better way to write this code ? I am trying to make sense of it all.
Should the same eregi expressions be added to the POST loop as well. I do
not need ANY tags to be submitted from the user at all.
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("\.\.", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
Header("Location: index.php");
die();
}
}
foreach ($_POST as $secvalue) {
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
header("Location: index.php");
die();
}
}
Many thanks. 1 1653
"StinkFinger" <st****@pinky.com> wrote in message
news:10*************@corp.supernews.com... All, I have some code in a standard Nuke install. This code is in mainfile.php which is included in every file. Is this preventing injections ? Is there
a better way to write this code ? I am trying to make sense of it all.
Should the same eregi expressions be added to the POST loop as well. I do not need ANY tags to be submitted from the user at all.
foreach ($_GET as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("\.\.", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) || (eregi("\([^>]*\"?[^)]*\)", $secvalue)) || (eregi("\"", $secvalue))) { Header("Location: index.php"); die(); } }
foreach ($_POST as $secvalue) { if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) { header("Location: index.php"); die(); } }
Many thanks.
First, use $_REQUEST instead - it's basically both $_GET and $_PUT merged
together.
As for tags, just pass it through htmlspecialchars() and/or strip_tags() to
make it fully textual.
Garp This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: TG |
last post by:
Dear PHP Group,
I have two forms that are used to collect user information. The first one
takes user inputted values such as fullname, city, address etc. I want these
values to display in the...
|
by: Dave Smithz |
last post by:
Hi there,
I have a situation where I want to have multiple submit buttons on the same
form and therefore want to use a redirection php script that checks the
value associated with the submit...
|
by: Marcus |
last post by:
Hi All,
I was wondering if there is a way to ensure that when submitting forms
and using POST vars, the page sending the form resides on the same
server as the destination page specified in the...
|
by: Asp Help |
last post by:
I'm working on a ASP applicatition to create Windows 2000 users.
Because I don't want everybody to have access to the site I've changed
te security in IIS 5.0 which runs on a windows 2000 Sp4...
|
by: wumingshi |
last post by:
Hi,
When validating an XML instance, sometimes the schema is not enough to
expression the validation rules. Additional validation rules may be
expressed in an application-specific way. For...
|
by: Robert Oschler |
last post by:
I am working on a PHP 4 app that interacts with an external authorization
server. The external server does "third-party" authorization of users.
So I do the following:
1) Each of my PHP scripts...
|
by: GEO Me |
last post by:
I have read a few comments against doing validation using
JavaScript, and when I found a page that seems to do validation using
POST I wondered what would happen if I pasted a long sentence from...
|
by: Matt |
last post by:
When we submit the form data to another page, we usually do the following:
<form action="display.aspx" method="post"> will submit the form data and
open
display.asp in the current browser
...
|
by: Gert |
last post by:
Hi,
I have a form (server side) because of the filling of variables through the
application. But now I need to post it to an url on submit.
My .HTML form looks like this, but how to translate it...
|
by: Bjorn |
last post by:
Hi.
Every time i post data in a form the contents are being checked for
validity.
When i click the back-button, all data is gone and i have to retype it.
It's obvious that only a few or none of...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |