How to Avoid XSS Attacks In PHP?

by Oozman

in PHP Tutorials

To the advent of internet today, many people are starting to build their sites on the web using PHP. But the problem is that, many people are using it and most of the time don’t consider vulnerabilities or attacks going to their sites. Or if they do consider it, they don’t do the extra precautions on manipulating data within their sites or applications. So, today, I’m going to show you my personal PHP library that I usually used to avoid XSS attacks on my development sites and applications.


One of the common attacks existing today was XSS Attack. XSS stands for Cross-site Scripting which is a computer vulnerability that is very common on web applications.

Cross-site scripting holes are web-application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. Wikipedia

And most of the time, XSS attacks came from an input or data that are not well filtered or cleaned before showing it to a browser, like cookies/sessions.

To avoid this kind of attack, there was a PHP library called PHP Inputfilter which was developed by Manuel Lemos. I’ve been using it for a quite a while now and it is a great library to integrate on my PHP works. This library basically filters data and provide me another extra level on processing inputs/data going in and out of my web sites and applications.

Preparation:

  • Download PHP Inputfilter here.
  • Copy class.inputfilter.php to your work folder

How to Use:


<?php
//load inputfilter library
include_once '<location of the library>/class.inputfilter.php';
$filter = new InputFilter();
?>

How to clean $_GET inputs:

<?php
//load inputfilter library
include_once '<location of the library>/class.inputfilter.php';
$filter = new InputFilter();

//clean $_GET data
$get = $filter->process($_GET);

//returns a cleaned $_GET array of data
var_dump($get);
?>

How to clean $_POST inputs:

<?php
//load inputfilter library
include_once '<location of the library>/class.inputfilter.php';
$filter = new InputFilter();

//clean $_POST data
$post = $filter->process($_POST);

//returns a cleaned $_POST array of data
var_dump($post);
?>

Literally, this data will filter any data within in your application/site. One of the important rule on filter data is that if data comes from OUTSIDE your application or site, then you MUST filter it first.

Also, take note that XSS attack is only one of the hundreds of vulnerabilities in terms of web applications and websites. It is always a good practice to plan your development well before starting to code it. ;)

So there you have it. I hope you gain something out of this simple tutorial. Actually, there is an advance option on using this library such as the optional $tagsArray and $attrArray before declaring an instance of inputFilter(). Which I’ll leave it to you, for you to explore this library. But basically, tutorial above will suffice your need on filtering your data with in your applications or sites.

If you have any questions, feel free to drop a comment below.

Leave a Comment

Previous post:

Next post: