Web safety with AJAX and PHP 5

Manipulation of parameters, Cross Site Scripting, SQL Injection, Session hacking - there are many ways to attack a websites integrity for evil purposes (see screenshots below). This application makes use of several techniques to prevent your web application from harmful code (some of them refer to the excellent book "PHP-Sicherheit", published by dpunkt.verlag, 2007). Among other features you'll find data type control, control of allowed variables in URI strings, several session and history controls, control of drowdown menus, control of form names and form action URI and controls of forbidden inserts in form elements (fully automated), a generator for safe passwords, and a consistent use of file_exists(). Besides the PHP 5 functions __autoload for classes and try and catch a special feature is the safeHTML parser (http://pixel-apes.com/safehtml), which helps to remove not desired attributes and tags effective.

The scripts snippets you see here (the complete script is downloadable) is only a small part of the complete application. That's it. The sql code for the database action and other stuff is all prepared for your convenience (create-table-, css- and connection-file included). Best regards Claudio Biesele

Part of the PHP Forbidden Class Code:

$this->sql = "SHOW FIELDS FROM $this->tbname";
$this->query = mysql_query($this->sql);
if(!$this->query) die ($this->noquery);

$this->felder_arr = array();
while (list($this->tabfelder) = mysql_fetch_array($this->query, MYSQL_BOTH))
$this->felder_arr[] = $this->tabfelder;

for ($this->x=0; $this->x < sizeof($this->felder_arr); $this->x++)
if($this->x < 1)
$this->forbidden = '$_REQUEST'.'['."'".$this->felder_arr[$this->x]."'".']';
$this->val .= "".$this->forbidden;

else {
$this->forbidden = '$_REQUEST'.'['."'".$this->felder_arr[$this->x]."'".']';
$this->val .= ".".$this->forbidden;

eval('$this->forbidden = '.$this->val.';');

if(stristr($this->forbidden, "location.href")
|| stristr($this->forbidden, "<?")
|| stristr($this->forbidden, "<?php")
|| stristr($this->forbidden, "?>")
|| stristr($this->forbidden, "<script type")
|| stristr($this->forbidden, "document.write")
|| stristr($this->forbidden, "javascript")
|| stristr($this->forbidden, "/script")
|| stristr($this->forbidden, "or 1=1")
|| stristr($this->forbidden, "text/javascript"))

$this->message = $this->badnews;
return $this->message;

else {
$this->okay = '1';
return $this->okay;

Part of the AJAX Handler Code:

function handleResponseUpdIns() {

if(resObjekt.readyState == 4) {
var valuser = document.getElementsByName("usernr")[0].value;

document.getElementById("messagen").style.visibility = "visible";
document.getElementById("messagen").innerHTML = resObjekt.responseText;
document.getElementById("message").style.visibility = "hidden";
if(resObjekt.responseText != "Forbidden inserts!") {
document.getElementById("messagen").style.visibility = "hidden";
document.getElementById("notetable").innerHTML = resObjekt.responseText;
loadNotes('1',valuser,'0'); }

Part of the PHP 5 Class __autoload:

$strKlasse = '';

function __autoload($strKlasse)

{ try { if(!preg_match('=^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$=m',$strKlasse))
{ throw new Exception("Class '$strKlasse' is not valid."); }

$strIncludeFile = '../class/'.$strKlasse. '.class.php';

if (!file_exists($strIncludeFile))
{ throw new Exception("Include file <i>$strIncludeFile</i> not found.<br>"); }


{ throw new Exception("Include file <i>$strIncludeFile</i>

contains no class '$strKlasse'.<br>"); }

return true; }
catch(Exception $e)
{ die($e->getMessage()); }


Picture pub_saveweb1.jpg
1. Example: Detect harmful code and stop further actions.
Picture pub_saveweb2.jpg
2. Example: Report failures in general not in detail.
Picture pub_saveweb3.jpg
3. Example: Even dropdown menus can be unsafe - check values before next step.
Picture pub_saveweb4.jpg
4. Example: The user gets his password from a generator and has to confirm per email.
Picture pub_saveweb5.jpg
5. Example: After confirmation by email user gets access to the service.
Download the full script at www.fastproject.ch. The downloaded script is free from Copyright restrictions, Zurich, 16th of November 2015.
Donate with PayPal: