Taken from my website, dot-silver.co.uk
This article will be about XSS, What is it? How to prevent it. XSS, or CSS (Not to get confused with Cascading Style Sheets), stands for Cross Site Scripting and is done when using PHP navigation. So if you are using php navigation, great, you should likely read this.
Say you have your links looking like so: ?x=page and your code looks like this.
Code:
<?php
$x = $_GET['x'];
include($x.'.php');
?>
Sure that's all fine, but is it really? What if a user entered an url like this.
?x=http://www.google.com
That would insert google.com into the content area. Sure, that's harmless, but the idea of XSS is for malicious users can put very malicious code onto your own server and attack your server. By attacking it, this can do all sorts such as over-doing the bandwidth, or trying to hack into accounts or event modify information. This could be somewhat like the following url.
?x=http://www.site.com/bad/script/to/hack
Not good right? But how do you over come this? Simple really, if you put all of your pages into a folder, such as pages, then you've finally overcome XSS. Here's the code.
Code:
<?php
$x = $_GET['x'];
include('/pages/'.$x.'.php');
?> It really is that simple, because obviously the php include function is going to be looking for this url.
http://www.yoursite.com/pages/$x.php
and not
$x.php