Security has always been a concern of web developers. No site is safe from hacking attempts. Developers need to take precautions when building their applications so that they don’t become the victim of a hacking attempt. There are a number of things PHP programmers can do to prevent these kinds of attacks.

What Is XSS?

XSS stands for Cross Server Scripting, and is the most common technique for hacking into a website. Most of the tips we will be talking about today will be things designed to prevent XSS attacks on your server. XSS is when someone injects code into your website, and gets it to execute. This can be used for a variety of malicious purposes.

Here is an example of a simple XSS attack I was able to perform on my site. I noticed that my user name was contained inside a tag on my profile page. I changed my user name to this:

This caused an alert fired away every time someone opened my profile page. It would not have been difficult for me to import an external JavaScript file, or write one that did something more malicious.

List of common XSS exploits

Sanitizing Input

Most XSS attacks come from manipulating the input of a site. Input comes in two forms: Forms and GET variables. You need to take care to properly sanitize these inputs before doing anything else with them. Here are a few things you can do to make sure the input you receive is safe:

Use PHP’s addslashes Function

This is a very simple thing you can do that can help prevent attacks. Simply run all of your input through the addslashes method in PHP. The slashes help escape characters that could otherwise be dangerous.

Use the strip_tags Function

strip_tags() is another handy PHP function that can help sanitize input. You also have the option of allowing certain tags, so if you have a page where users should be allowed to use some HTML (for example, a blog post) you can still allow them to use some tags. However, be wary of allowing particularly dangerous tags, such as <script> or <iframe>.

Remove JavaScript From Input

By Using regular expressions, we can make sure that no JavaScript gets through to execute. While using strip tags to remove tags can take care of some JavaScript, it doesn’t handle instances where people may put a JavaScript event on another tag, such as an <a> tag. Below is a simple function that removes JavaScript from the input it is given, by using regular expressions:

function removeJavaScript($input){ return preg_replace('#]*>.*?#is','',$input); }

Remove Flash From Input

Much like JavaScript, Flash can also be embedded via XSS and used for malicious purposes. Below is another function, which will strip Flash from the input given:

function removeFlash($input){ return preg_replace("/<object[0-9 a-z_?*=\":\-\/\.#\,\\n\\r\\t]+/smi", "", $input); }

Putting It All Together

Below is a handy function I’ve written that can handle all of the above methods of cleaning input. It also gives you the option of allowing JavaScript, Flash, or certain HTML tags:

function sanitizeInput($input,$allowedTags=””,$allowJavaScript=false,$allowFlash=false){ $input = strip_tags($input,$allowedTags); if(!$allowJavaScript){ $input = preg_replace('#]*>.*?#is','',$input); } if(!$allowFlash){ $input = preg_replace("/<object[0-9 a-z_?*=\":\-\/\.#\,\\n\\r\\t]+/smi", "", $input); } return $input; }

Check The Referring Page

Web sites are able to send requests from any server to another, and this can be dangerous. One way of making sure input is coming from where it is supposed to is to use the $_SERVER array in PHP and check what the referring site is. You can also add unique keys to forms and some pages to make sure that the input you are receiving is coming from a reliable source.

NETTuts has a great tutorial on this: Secure Your Forms with Form Keys

Using Encryption

One of the biggest no-nos in all of web programming is storing sensitive information in plain text inside of a database. Things like passwords, social security numbers, and credit card numbers are very common pieces of data that should not be stored in a database.