Thursday, October 29th 2009


Fixing cross-site scripting attacks in PHP for PCI Compliance
posted @ 9:49 am in [ Fixing Things -Technology -Web Design -Web2.0 ]

More PCI compliance checks meant that we found a number of scripts in some of the simpler pages on our sites (email register for example) were subject to possible cross-site scripting attacks

(see the Wikipedia entry for a pretty good explanation of what they are and why you need to fix them http://en.wikipedia.org/wiki/Cross-site_scripting)

Anyway – here’s the quick code to fix pretty much any form using htmlspecialchars to encode the input.

Original: (note the weakness in using REQUEST_URI here)

<form method=”post” action=”<?php echo $_SERVER[‘REQUEST_URI’]; ?>” id=”registerTop” class=”smallForm”>

Fixed: (note the replacement of PHP_SELF for REQUEST_URI to stop injection of different pages)

<form method=”post” action=”<?php echo htmlspecialchars($_SERVER[‘PHP_SELF’],ENT_QUOTES); ?>” id=”registerTop” class=”smallForm”>

Happy days – PCI test passed 🙂




Thursday, October 29th 2009


Just in case you wondered who was responsible for all of IE6’s bugs…
posted @ 6:49 am in [ Technology -Web Design -Web2.0 ]

I found this last night while scanning for another document, the thankyou note from Microsoft sent to me for being one of the beta testers on Microsoft Internet Explorer 4 (IE4)!

Obviously I didn’t do a very good job as IE5 and IE6 both turned out to be horribly buggy browsers, but then again they didn’t pay me for the pleasure so it can’t be all bad 🙂


MicrosoftIE4BetaTestersLetter