Portal Home > Knowledgebase > Articles Database > Need help cleaning php code to pass pci scan.


Need help cleaning php code to pass pci scan.




Posted by tegralens, 07-26-2010, 04:29 PM
I need to fix this so that I can pass a pci scan. This is what Mcafee Secure said on the scan. When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client. Ensure that parameters and user input are sanitized by doing the following: # Remove < input and replace with < # Remove > input and replace with > # Remove ' input and replace with ' # Remove " input and replace with " # Remove ) input and replace with ) # Remove ( input and replace with ( This is the code. These are the lines that need to be fixed. Thanks

Posted by RJohnson23, 07-26-2010, 05:05 PM
You need to escape all of your GETs with htmlspecialchars().

Posted by drspliff, 07-26-2010, 05:11 PM
Jebus man! You're failing the McAfee Secure Scan... I'd be seriously worried at the damage an experienced auditor could do.

Posted by tegralens, 07-26-2010, 06:08 PM
How do I do that. I have have no experience with php.

Posted by RJohnson23, 07-26-2010, 07:24 PM
Who coded your site? If you have these basic mistakes in your code, like drspliff said, you should seriously look into having someone audit it or you'll be in for a world of hurt later.

Posted by streaky81, 07-26-2010, 07:29 PM
http://php.net/htmlspecialchars And as somebody mentioned - if you're failing automated scans you probably have very serious issues that probably need looking at by somebody who knows what they're doing. Might want to consider doing that (this is in no way any kind of sales pitch).

Posted by tegralens, 07-26-2010, 08:41 PM
Thank you guys. This was just this file. This is a 3rd party plugin that's old.

Posted by CoderJosh, 07-27-2010, 01:38 AM
I'd also recommend that you get the server properly audited. Outdated scripts and those that weren't developed with security in mind can be found on pretty much every server that has been online for a while. Sooner or later one of these will get exploited if you don't take proactive measures.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Payment Processing (Views: 242)
PHPmotion v3 issues (Views: 256)