Strip slashes on user agent and ip to prevent user header modification for XSS attack in API logging
This commit is contained in:
johnnyq
4
api.php
4
api.php
@@ -4,9 +4,9 @@ include("functions.php");
|
||||
include("config.php");
|
||||
|
||||
// Get user IP
|
||||
$ip = mysqli_real_escape_string($mysqli,get_ip());
|
||||
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
|
||||
// Get user agent
|
||||
$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']);
|
||||
$user_agent = stip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
|
||||
|
||||
// Check API key is provided in GET request as 'api_key'
|
||||
if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) {
|
||||
|
||||
@@ -7,9 +7,9 @@ include(__DIR__ . "../../../config.php");
|
||||
header('Content-Type: application/json');
|
||||
|
||||
// Get user IP
|
||||
$ip = mysqli_real_escape_string($mysqli,get_ip());
|
||||
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
|
||||
// Get user agent
|
||||
$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']);
|
||||
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
|
||||
|
||||
// Setup return array
|
||||
$return_arr = array();
|
||||
|
||||
Reference in New Issue
Block a user