ARTICLE AD BOX
I'm trying to harden my service against SQL Injection and XSS and I wonder if it's universally possible. I use PDO with sqlsrv. Service is quite big - this is why I would prefer universal solution (I have WAF already).
My plan is to loop through whole/most $_REQUEST and simply delete characters required for attack. I would insert that code in init/config that is loaded in every webpage (or the ones that have form)
PLEASE have in mind this is pseudocode not tested in anyway.
foreach($_REQUEST as $key=> $row){ //sql injection $_REQUEST[$key] = str_replace('*, =, select, from, where', '', $row);//remove *, =, and sql commands... others? //xss $_REQUEST[$key] = htmlspecialchars($row); }I understand this will have a big load on server (maybe just loop on login sites?).
What characters I should remove?
Another downside is that I will have to force some users to renew their password.
Do you think this is good idea? What is the best way to do it? Can I ask workable code?
