前几天我正在做我的研究,我发现有些功能在防止某些攻击(跨站点脚本)时并不那么安全,所以我决定创建自己的功能来清理用户输入。
<?php
function sanitize($a)
{
//add your own characters and keywords into the array
$illegals = array("script","javascript","<",">","%","(",")","/","../","alert","'","xss","&","'","=","OR","SELECT","FROM","DROP");
$replace = array("**");
$sanitized = str_ireplace($illegals,$replace,$a,$count);
if ($count > 0 )
{
//attackers payloads will just be left in our database which is a waste of space
header("Location:");
}
else
{
return $sanitized;
}
} // end of function
$email = $_POST["email"];
$password = $_POST["password"];
$cleanemail = sanitize($email);
$cleanpassword = sanitize($password);
//other code
?>
我尝试了多个xss有效载荷,到目前为止还没有成功。你怎么看?可以做任何改进吗?