I am in a project of a site, in it I did data treatment using PDO and so I thought everything was ok.
I recently ran a test with acunetix and the result of error was level 4, XSS was the most accused.
So thinking about it, I did several searches and started filtering all the data, GET, POST, SERVER.
Example
E Seguro desta forma?
$method_req = filter_input(INPUT_SERVER, 'REQUEST_METHOD', FILTER_SANITIZE_STRING);
$req_referer = filter_input(INPUT_SERVER, 'HTTP_REFERER', FILTER_SANITIZE_STRING);
if($method_req == 'POST'){
header('Location: '.$req_referer);
}
$url_reqhost = filter_input(INPUT_SERVER, 'HTTP_HOST', FILTER_SANITIZE_STRING);
$url_req_url = filter_input(INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_STRING);
$URL_ATUAL = "https://".$url_reqhost.$url_req_url;
$filtrar_estilo = filter_input(INPUT_POST, 'estilo', FILTER_SANITIZE_STRING);
Summarizing what I've already done for security:
- Using PDO
- Character limitation .htaccess (', "etc, only passes letters and numbers)
- .php direct access blocking
- POST / GET / SERVER Data Filter
What I need
- What I need most at the moment and tips and ideas to complement my code, especially in this issue of get / post security.
- E Need to filter session?
- What is the best filter to validate the FILTER_SANITIZE_STRING data? (the project will never be quoted or anything, just letters and numbers)