ansaurus

Question

My site is vulnerable to this script..How do i patch it ?

Answer 1

+6 A:

You need to HTML-encode all user-entered data that you output, including the user's search string.

To be safe, HTML-encode all values that are not explicitly meant to be HTML code.

RedFilter 2010-09-24 15:56:48

Answer 2

A:

Seeing as how that is a search query string, I'm guessing you're pulling the value directly from the query string and re-displaying it to the user?

Something along the lines of "Your search of 'something' returned 0 results"?

You need to encode any user entered data before displaying it.

Brandon 2010-09-24 15:57:49

Yah thats exactly what I'm doing !! So is it safe ?? And how to counter it ?

5416339 2010-09-24 16:01:21

No, it's not safe. Anytime you're displaying a value that is user entered, you need to encode it. You can't trust them to enter in harmless data. See Novikovs answer for an easy way to fix your problem.

Brandon 2010-09-24 16:04:19

Answer 3

+3 A:

The quick solution is to:

<?php echo htmlspecialchars($blah); ?>

instead of

<?php echo $blah; ?>

The long solution is to read a book on web site security.

Novikov 2010-09-24 16:01:43

I did that..but still it is vulnerable right ?

5416339 2010-09-24 16:12:22

ansaurus

tags:

views:

answers:

My site is vulnerable to this script..How do i patch it ?

related questions