AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Strip slashes on user agent and ip to prevent user header modification for XSS attack in API logging

This commit is contained in:
johnnyq 2022-02-04 16:55:45 -05:00
parent 338c991d21
commit be0778ab84
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api.php
View File

@ -4,9 +4,9 @@ include("functions.php");
include("config.php");
// Get user IP
$ip = mysqli_real_escape_string($mysqli,get_ip());
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
// Get user agent
$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']);
$user_agent = stip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
// Check API key is provided in GET request as 'api_key'
if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) {

4
api/v1/validate_api_key.php
View File

@ -7,9 +7,9 @@ include(__DIR__ . "../../../config.php");
header('Content-Type: application/json');
// Get user IP
$ip = mysqli_real_escape_string($mysqli,get_ip());
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
// Get user agent
$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']);
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
// Setup return array
$return_arr = array();