A Quick Look at Cross Site Scripting - Coding for our safety (
Page 6 of 6 )
Let’s define a simple function to prevent the querysting from being tampered with external code. The function “validateQueryString()” is the following:
<?php
function validateQueryString ( $queryString , $min=1,
$max=32 ) {
if ( !preg_match ( "/^([a-zA-Z0-9]{".$min.",".$max."}=[a-zA-Z0-9]{".$min.",".$max."}&?)
+$/", $queryString ) ) {
return false;
}
return true;
}
?>
Once we have defined this function, we call it this way:
<?php
$queryString = $_SERVER[‘QUERY_STRING’];
if ( !validateQueryString ( $queryString ) ) {
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
Let’s break down the code to see it in detail.
The function performs pattern matching to the querystring passed as a parameter, checking to see if it matches the standard format of a querystring, including GET variable names that only contain the numbers 0-9 and valid letters either in lowercase or uppercase. Any other characters will be considered as invalid. Also, we have specified as a default value that variables can be from 1 to 32 characters long. If matches are not found, the function returns false. Otherwise, it will return true.
Next, we have performed validation on the querystring by calling the function. If it returns false -- that is, the querystring contains invalid characters -- the user will be taken to an error page, or whatever you like to do. If the function returns true, we just display a welcome message.
Of course, most of the time, we really know what variables to expect, so our validation function can be significantly simplified.
Given the previous URL,
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=John
where the “name” variable is expected, we might write the new “validateAlphanum()” function:
<?php
function validateAlphanum( $value , $min = 1 , $max =
32 ) {
if ( !preg_match( "/^[a-zA-Z0-9]{".$min.",".$max."}
$/", $value ) ) {
return false;
}
return true;
}
?>
and finally validate the value like this:
<?php
$name = $_GET[‘name’];
if ( !validateAlphanum ( $name ) ) {
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
The concept is the same as explained above. The only noticeable difference is that we’re taking in the “name” variable as the parameter for the “validateAlphanum()” function and checking if it contains only the allowed characters 0-9, a-z and A-Z. Anything else will be considered an invalid input.
If you’re a strong advocate of object oriented programming, as I am, we might easily include this function as a new method for an object that performs user data validation. Something similar to this:
<?php
$name = $_GET[‘name’];
// get variable value
$dv = &new dataValidator();
// instantiate new data
validator object
if ( !$dv->validateAlphanum( $name ) ) {
// execute validation method
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
Pretty simple, isn’t it?
In order to avoid Cross Site Scripting, several approaches can be taken, whether procedural or object-oriented programming is your personal taste.
In both cases, we’ve developed specific functions to validate querystrings and avoid tampered or unexpected user input data, demonstrating that Cross Site Scripting can be prevented easily with some help coming from our favorite server-side language.
Conclusion
As usually, dealing with user input data is a very sensitive issue, and Cross Site Scripting falls under this category. It is a serious problem that can be avoided with some simple validation techniques, as we have seen through this article.
Building up robust applications that won’t make poor assumptions about visitor’s input is definitely the correct way to prevent Cross Site Scripting attacks and other harmful techniques. Client environments must always be considered as a pretty unsafe and unknown territory. So, for the sake of your website’s sanity and yours, keep your eyes open.
| | Discuss A Quick Look at Cross Site Scripting | | | | | | | Woah, the possibilities of this have never crossed my mind. Great article! | | | | | | Um, how is this solution better than using such built-in PHP functions as... | | | | | |
I always use this:
<?php
/**
* Remove slashes, tags and ASCIIZ from GET,... | | | | | | You *never* *ever* do something like:
echo $_GET['variable'];
this does not... | | | | | | Hello,
I'm the author of the article.Cheers.
I totally agree that echoing GET... | | | | | | Hello,
Because I wrote the article, I must thank you for the comment. It's great... | | | | | | Hello again,
Also,it's worthy considering that JavaScript embbeded into links, is... | | | | | | I don't think this article creates a real scary threat, If you use javascript to... | | | | | | Hello,
Thank you for commenting on my article. With regard to your comment I must... | | | | | | the problem is you're not actually *validating* your input. You're just altering it... | | | | | | Thank you for your comments on this article. Well, you're correct when you say the... | | | | | | First it need to be noted that no php security scripting will replace a improperly... | | | | | | whichever admin reviewed the above scripts i submitted screwed them up.
there... | | | | | | here is the second one that requires CCISECURITY.PHP
<?php
#####
#
# ... | | | | | | here is the third one i mentioned .
it is a stand-alone secueirty class providing... | | | | | | Thank you for posting this extremely useful set of classes with reference to... | | | | | | As I posted before, I greatly appreciate the group of excellent classes you listed... | | | | | | >>> Post your comment now! | | | | | |
|
 |
