In my current case, I find some PHP codes have flaws in SQL injection and XSS.
After analyzing the codes, I find that the URL pameters are usual in numeric type.
So, I just add the codes in the PHP file below:
/* Jyun-Yao Huang modified on 2014/06/12:
* Check the values of $_GET are in numeric type or not.
* If some values are not in numeric type, then set them as null.
* If some values are in numeric, then strip them.
*/
foreach ($_GET as $key => $value) {
if (! is_numeric($value)) {
$_GET[$key] = null;
} else {
$_GET[$key] = mysql_real_escape_string($value);
}
}