By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,643 Members | 1,797 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,643 IT Pros & Developers. It's quick & easy.

GET and POST tag checks

P: n/a
All,
I have some code in a standard Nuke install. This code is in mainfile.php
which is included in every file. Is this preventing injections ? Is there a
better way to write this code ? I am trying to make sense of it all.

Should the same eregi expressions be added to the POST loop as well. I do
not need ANY tags to be submitted from the user at all.

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("\.\.", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
Header("Location: index.php");
die();
}
}

foreach ($_POST as $secvalue) {
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
header("Location: index.php");
die();
}
}

Many thanks.
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
"StinkFinger" <st****@pinky.com> wrote in message
news:10*************@corp.supernews.com...
All,
I have some code in a standard Nuke install. This code is in mainfile.php
which is included in every file. Is this preventing injections ? Is there a better way to write this code ? I am trying to make sense of it all.

Should the same eregi expressions be added to the POST loop as well. I do
not need ANY tags to be submitted from the user at all.

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("\.\.", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
Header("Location: index.php");
die();
}
}

foreach ($_POST as $secvalue) {
if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
header("Location: index.php");
die();
}
}

Many thanks.


First, use $_REQUEST instead - it's basically both $_GET and $_PUT merged
together.

As for tags, just pass it through htmlspecialchars() and/or strip_tags() to
make it fully textual.

Garp
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.