String attack

DigitalExpl0it

Ok, heres the deal, I ahve a page and im using varibles in my url string, thing is how do I make it so that if someone puts in lets say some html or java code with the varible, how can I make it not post?

here is there url to a pratice site
http://daemonprojects.com/work/cat.php?cat=CPU&item=hardware

now if I edit the url string with lets say a html img tag it will show on the site, Id like to stop this....

http://daemonprojects.com/work/cat.php?cat=CPU<img src=test.jpg>&item=hardware

should I do a check like

if ($var == "CPU") {
//ok
} else {
//do nothing
}

type thing, if so then that would be alot fo code

any suggestions

DigitalExpl0it

think this fixed it, if theres a better way please post it, thanx

<? echo strip_tags($_REQUEST["cat"], '<[^>]*?>'); ?>

Weedpacket

I've never seen anyone try to call strip_tags with a regexp for the second argument before...
Besides, don't you htmlspecialchars() your output?

ccgorman

You could use the environment variable HTTP_REFERER. This will tell you the full URL of the page that the user is coming from, if it is not from the page you expect you could just header relocate. The problem is the user will not be able to bookmark pages.