An easy way to fix SQL injection and XSS

Posted on 2014-06-12 by Allen

In my current case, I find some PHP codes have flaws in SQL injection and  XSS.

After analyzing the codes, I find that the URL pameters are usual in numeric type.

So, I just add the codes in the PHP file below:

/* Jyun-Yao Huang modified on 2014/06/12: 
 * Check the values of $_GET are in numeric type or not. 
 * If some values are not in numeric type, then set them as null. 
 * If some values are in numeric, then strip them. 
 */
foreach ($_GET as $key => $value) {
    if (! is_numeric($value)) {
        $_GET[$key] = null;
    } else {
        $_GET[$key] = mysql_real_escape_string($value);
    }
}

This entry was posted in PHP, Web Design. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *