0

So few days ago i was doing my research and i found out that some functions were not so safe when it comes to preventing certain attacks(cross site scripting),So i decided to create my own function to sanitize user input...

 <?php
 function sanitize($a) 
 {
 //add your own characters and keywords into the array
 $illegals = array("script","javascript","<",">","%","(",")","/","../","alert","'","xss","&","'","=","OR","SELECT","FROM","DROP");
$replace = array("**");
$sanitized = str_ireplace($illegals,$replace,$a,$count);
if ($count > 0 )  
{
//attackers payloads will just be left in our database which is a waste of space
header("Location:");
}
else
{
return $sanitized;
}
} // end of function
$email = $_POST["email"]; 
$password = $_POST["password"]; 
$cleanemail = sanitize($email); 
$cleanpassword = sanitize($password);
//other code
?>

I have tried multiple xss payloads and so far none have being successful.What do you think? Any improvements that can be done?

kmartin
  • 1
  • 1
  • dude, just use php PDO – Dev Man Apr 30 '17 at 18:49
  • Did anyone bother to read the whole post? i am getting irrelevant answers! – kmartin Apr 30 '17 at 19:01
  • YES, we have, that's why your post has been marked as a duplicate and also why iv'e suggested you to use php `PDO`. `preventing certain attacks(cross site scripting)` this means you need to use php `PDO` – Dev Man Apr 30 '17 at 19:29

0 Answers0