Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
T
T
Turar Abu2015-12-18 19:53:21
PHP
Turar Abu, 2015-12-18 19:53:21

Is XSS and SQL protection correct?

Each time, when adding records to the database, I had to check it for SQL injection. And on XSS to do constantly.
Decided to make a simple method. Insert this code at the very beginning of the whole
ZY . I left comments so as not to delve into:

function saveArray($arr){ // Функция для защиты от XSS и SQL
  $r = array(); // Создать массив для возврата

  foreach ($arr as $k => $v){ // Для каждого элемента в массиве для фильрации
    if( strstr($k, 'no-save') ) // Если у ключа массива есть слово 'no-save' 
      continue; // перейти к следующему
    if( $v == "" ){ // Если пустое значение
       $r[$k] = false; // то значение равен false
       continue; // К следующему
    }
    if( ctype_digit($v) ){ // Если все символы в строке - цифра
      $r[$k] = (int) $v; // перевести в тип int
      continue; // К следующему
    }
    if( is_array($v) ){ // Если это массив
      $r[$k] = saveArray($v); // провести через функцию
      continue; // К следующему
    }
    $arr[$k] = htmlspecialchars($v); // Иначе убрать все HTML символы
  }

  return $r; // Вернуть массив
}

$_GET = saveArray($_GET); // Фильтрация $_POST
$_POST = saveArray($_POST); // Фильтрация $_GET

Can this be considered "correct" and used in real projects?
Or are there still disadvantages, which is why it is better not to do this?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
S
Sergey, 2015-12-18
@kemply

earlier in PHP this piece of "uselessness" was out of the box, it was called magic quotes.
1) prepared statements saves from SQL injections
2) XSS must be filtered when information is displayed and not when it is entered, because there is still a chance to miss something.

Report
S
Stalker_RED, 2015-12-18
@Stalker_RED

// If all characters in the string are digits
// convert to int type
, thus it is possible to damage strings of digits with leading zeros

Report
A
Andrey Pavlenko, 2015-12-19
@Akdmeh

Mass checks are evil. There is always the possibility of missing something.
Learn filter_var, do htmlspecialchars exclusively on output; use exclusively Prepared statements.
You must always specify the rules for validating incoming data manually, then you will mean that you have applied the necessary filter.
ctype_digits doesn't fit at all.
I've been using $var=abs(intval($var)); as a shortcut for a long time.
The output is a positive number or zero. Works with concrete.
With minor changes, you can do it with abs(floatvar(($var));

Similar questions
R
Rooly2021-03-23 11:40:40
How to properly organize apiResource Laravel? 2Reply
I
Isaac Clark2017-04-05 13:43:42
HTML5 GAME: Is it better to use Canvas or DIV for sprite animation? 5Reply
V
VAZSOFT2019-09-28 20:55:53
Save POST request to TXT? 5Reply
S
Sergey2015-05-13 21:19:17
How and how to split a webm file into several working parts in linux? 2Reply
N
nethole7412019-10-02 20:40:14
Sending to modx revo via ajaxform not working? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question