December 2010
Intermediate to advanced
363 pages
12h 21m
English
book
Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition
by Chris Snyder, Michael Southwell, Thomas Myer
Content preview from Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Preventing XSS
Effective XSS prevention starts when the interface is being designed, not in the final testing stages or—even worse—after you discover the first exploit.
For example, applications that rely on form submission (POST requests) are much less vulnerable to attack than those that allow control via URI query strings (GET requests). It is important, then, before writing the first line of interface code, to set out a clear policy as to which actions and variables will be allowed as $_GET values, and which must come from $_POST values.
The design stage is also the best time to map out workflows within the application. A well-defined workflow allows the developer to set limits, for any given page, on what requests are expected next (discussed ...