XSS - Help to Filter Metacharacters

abrapin

Hi, I'd really appreciate anyone's help. After running a vulnerability scan on one of my sites I got an XSS warning and advice to "filter metacharacters from user input". The script responsible belongs to a tool which searches the database for certificate numbers and outputs the status of the certificate, valid or expired. My PHP is quite limited but I think I've located the part of the code which needs filtering as:

$var = (isset($_GET['q']) && $_GET['q']!='') ? $_GET['q'] : '' ;

If I remove that line from the code the XSS warning disappears.

Here it is in context:

// Get the search variable from URL
ini_set('default_charset','utf-8');
$var = (isset($_GET['q']) && $_GET['q']!='') ? $_GET['q'] : '' ;
$trimmed = trim($var); //trim whitespace from the stored variable
// rows to return
// check for an empty string and display a message.
if ($trimmed == ''){
  $ErrorMsg="<p>Please enter a serial number...</p>";
}

However I'm really lost on how to apply a filter. I've Googled and looked up lots of examples but not getting anywhere. Sorry if I haven't supplied enough of my PHP code - just let me know. Thanks again for any help!

Ashley_Sheridan

By itself that code is not enough to determine if there is an XSS vulnerability on the site. What are you actually doing with $trimmed once you have it? I assume from the code comments that you're using it to query a DB. Probably the best way to prevent issues is to use one of these, in this order of preference:

Stored procedures
Bound parameters/values with PDO (or similar)
Filter each variable with mysqli_real_escape_string() (in particular note the i on the function name)

Avoid older mysql functions (the ones missing the i) as they are considered old and susceptable to some attacks that the newer mysqli functions aren't.