Php

PHP Code Injection Prevention

by juliusgoh22 · Published November 15, 2018 · Updated November 19, 2018

Hi, this would be great if you place @ the very first line of your script.

if(isset($_GET)){
    foreach ($_GET as $key => $value) {
        $_GET[$key] = cleanInput(strip_tags(rawurldecode(rawurldecode($value))));
    }
}


if(isset($_POST)){
    foreach ($_POST as $key => $value) {
        $_POST[$key] = cleanInput(strip_tags(rawurldecode(rawurldecode($value))));
    }
}

function cleanInput($input) {

  $search = array(
    '@]*?>.*?@si',
    '@<[\/\!]*?[^<>]*?>@si',
    '@]*?>.*?@siU',
    '@@'
  );

    $output = preg_replace($search, '', $input);
    return $output;
}

In this example , i used rawurldecode() instead of urldecode() because urldecode will make “+” sign missing.
Ref : http://php.net/manual/en/function.rawurldecode.php

Ref : https://stackoverflow.com/questions/29539985/override-post-content

You may also like...