GET and POST tag checks

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • StinkFinger
    #1

    GET and POST tag checks

    All,
    I have some code in a standard Nuke install. This code is in mainfile.php
    which is included in every file. Is this preventing injections ? Is there a
    better way to write this code ? I am trying to make sense of it all.

    Should the same eregi expressions be added to the POST loop as well. I do
    not need ANY tags to be submitted from the user at all.

    foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
    (eregi("\.\.", $secvalue)) ||
    (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
    (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
    (eregi("\"", $secvalue))) {
    Header("Locatio n: index.php");
    die();
    }
    }

    foreach ($_POST as $secvalue) {
    if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
    header("Locatio n: index.php");
    die();
    }
    }

    Many thanks.


    Tags: None
    • Garp
      #2
      Re: GET and POST tag checks

      "StinkFinge r" <stinky@pinky.c om> wrote in message
      news:107ea216f0 tnp99@corp.supe rnews.com...[color=blue]
      > All,
      > I have some code in a standard Nuke install. This code is in mainfile.php
      > which is included in every file. Is this preventing injections ? Is there[/color]
      a[color=blue]
      > better way to write this code ? I am trying to make sense of it all.
      >
      > Should the same eregi expressions be added to the POST loop as well. I do
      > not need ANY tags to be submitted from the user at all.
      >
      > foreach ($_GET as $secvalue) {
      > if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
      > (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
      > (eregi("\.\.", $secvalue)) ||
      > (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
      > (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
      > (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
      > (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
      > (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
      > (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
      > (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
      > (eregi("\"", $secvalue))) {
      > Header("Locatio n: index.php");
      > die();
      > }
      > }
      >
      > foreach ($_POST as $secvalue) {
      > if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
      > header("Locatio n: index.php");
      > die();
      > }
      > }
      >
      > Many thanks.[/color]

      First, use $_REQUEST instead - it's basically both $_GET and $_PUT merged
      together.

      As for tags, just pass it through htmlspecialchar s() and/or strip_tags() to
      make it fully textual.

      Garp


        Comment

        Previous template Next
        Working...