Amanda<3 Posted February 13, 2011 Share Posted February 13, 2011 Well, i know how to do it the old way, url by url by url. I was wondering if anyone could suggest a more shortcut approach to keep XSS out of the url using mod_rewrite. Also, i currently have a rewrite function that rewrites my URL's for me: function rewriteURI($URI,$argSeperator="/"){ $origURI = $URI; $requestURI = preg_replace("/^\/?([A-Z0-9_-]+)\.php(.+)?$/i","$1", $origURI); $requestURI = '/'.$requestURI.'/'; $params = explode("?",$origURI); $args = explode("&", $params[1]); $queryString = ''; foreach($args as $arg){ $parts = explode("=", $arg); $queryString .= $parts[1].$argSeperator; } $rewrittenURI = preg_replace("/^(.*)\\$argSeperator$/i","$1", $queryString); $rewrittenURI = $requestURI.$rewrittenURI; $rewrittenURI = $rewrittenURI; return $rewrittenURI;} Basically that is what i'm using to turn this: page.php?arg1=foo&arg2=bar, into /page/foo/bar. Is this a good method? Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted February 14, 2011 Share Posted February 14, 2011 no, a mod_rewrite doesn't prevent XSS Quote Link to comment Share on other sites More sharing options...
Amanda<3 Posted February 14, 2011 Author Share Posted February 14, 2011 I'm saying, is it possible to rewrite the URL to not allow XSS inside the URL. I know it doesn't completely solve the problem though. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted February 14, 2011 Share Posted February 14, 2011 Well, sure you could prevent ANY kind of tag / scripts and therefore you would prevent XSS. You can find pre-made PHP library which will check if your parameters (GET, POST, COOKIES) are potentially harmful or not. A good example of what you could use: http://phpids.org/ demo under: http://demo.phpids.org/ This lib prevent XSS as well as SQL injection. However, honestly, it doesn't completely replace a well secured code. Quote Link to comment Share on other sites More sharing options...
Amanda<3 Posted February 14, 2011 Author Share Posted February 14, 2011 Thanks. and Yeah i still secure my scripts, i just rather have extra insurance. You can never over-secure something... Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted February 15, 2011 Share Posted February 15, 2011 Well actually yes, as the more you secure it the more checks you build in, and the slower it will be. Also increase security means also at some point less usable features. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.