Jump to content
MakeWebGames

How to secure a few things!

Faz`

By Faz`
in General Discussion

 Share

Recommended Posts

Faz` Newbie

Faz`

Posted
Posted

Right, people are constantly complaining on why their game gets hacked and stuff. So, yesterday, I decided to take a look at security for the first time, and with a bit of help from Anthony (Magictallguy) I think I'm beginning to understand it. Now if I can learn a bit of stuff in one day (3 hours to be precise) then I'm sure anyone else that's learning can too!

So, here goes. (I'm not too good at explaining stuff but I'm giving it a go!)

Securing Inputs:

Now, securing inputs is vital. People can get access to valuable information if you aren't careful. So this is how I would go about it.

Take for example $_GET['faz']. Now that on its own can be injected. So take the following steps.

If $_GET['faz'] is to be a number, you would secure it by doing this.

$_GET['faz'] = abs(@intval($_GET['faz'])); I would add that at the top of the file or in a function if its only on it once. If it was to be a string, I would go about doing it like this:

$_GET['faz'] = stripslashes(htmlspecialchars($_GET['faz']));

You would use stripslashes and mysql_real_escape_string because its $_GET, not $_POST which will be explained later on in the post.

Now, to secure $_POST you would go about doing it like this:

$_POST['faz'] = mysql_real_escape_string(htmlentities($_POST['faz']));

Note I used htmlentities and htmlspecialchars, they both do the same thing, its just up to personal preference, I use htmlentities as I like the word entities and I tend to remember that over htmlspecialchars lol.

If $_POST[faz'] is a number, you would do the same as you did with $_GET, as you want it to be a number.

$_POST['faz'] = abs(@intval($_POST['faz']));

Now that would make sure it is a number, and I would say it is secure (some advanced programmers may disagree, but hey, I'm a noob and have only been doing this properly for about 2 months now.)

Now that is secure, we would look at securing a few queries. I would use sprintf() although it is debatable.

Take this query for example:

$db->query("SELECT * FROM users WHERE userid = $_GET['faz']");

That could be potentially harmful, if its used in a vital location, so you would secure it, using sprintf(). I would go about doing it like this:

$query = sprintf("SELECT * FROM users WHERE (userid = %u)", $_GET['faz']);

$db->query($query);

You may be wondering what has happened to the userid, but I replaced it with %u, and at the end of the query, use a comma, and put the value there.

%d is a signed integer

%u is an unsigned integer

If you want to know a bit more about those two refer to: http://dev.mysql.com/doc/refman/5.0/en/ ... types.html

As you see, in the query appeared $_GET['faz'] but above we secured it, so it is safe from harmful people with nothing better to do. That is when securing $_GET and $_POST and a query. If you want to secure a another type of query used in mccodes, we would go about doing it like this.

("UPDATE users SET money=money-$loss WHERE userid=$userid");

That is insecure, and can be fiddled around with. So we'd sprintf() it, and go about doing it like this.

$sprintf = sprintf("UPDATE `users` SET `money` = `money` - %d  WHERE (`userid` = $userid)", abs(@intval($loss)));

$db->query($sprintf);

I would say that is secure, as I said, I'm not too good at explaining, but I tried my best.

This is just a guide for some people, I'm sorry if there are any mistakes, errors or typos. As I said, I'm just new so go easy on me. I hope this helps a few people, that is the aim of this topic. Thanks.

Karlos Newbie

Karlos

Posted
Posted

Re: How to secure a few things!

$_GET

//Yours (Numeric):
$_GET['faz'] = abs(@intval($_GET['faz']));

//Mine (Numeric):
$_GET['faz'] = isset($_GET['faz']) && !empty($_GET['faz']) && ctype_digit($_GET['faz']) ? $_GET['faz'] : FALSE;

//Yours (String):
$_GET['faz'] = stripslashes(htmlspecialchars($_GET['faz']));

//Mine (String):
$_GET['faz'] = isset($_GET['faz']) && !empty($_GET['faz']) && ctype_alnum($_GET['faz']) ? $_GET['faz'] : FALSE;

 

$_POST

 

//Yours (String):
$_POST['faz'] = mysql_real_escape_string(htmlentities($_POST['faz'])); // Not that bad.. (May want to stripslashes if Magic Quotes are on..)

//Yours (Numeric):
$_POST['faz'] = abs(@intval($_POST['faz'])); // Not that bad...

 

Others

 

//Yours (Select + Secure):
$query = sprintf("SELECT * FROM users WHERE (userid = %u)", $_GET['faz']);
$db->query($query);

//Mine (Select + Secure):
$db->query(sprintf("SELECT * FROM `users` WHERE `userid`='%d'", abs($_GET['faz'])));

//Yours (Update):
$sprintf = sprintf("UPDATE `users` SET `money` = `money` - %d  WHERE (`userid` = $userid)", abs(@intval($loss)));
$db->query($sprintf);

//Assuming $loss is a $_POST
//Mine (Update):
if (!ctype_digit($_POST['loss'])) {
echo 'Epic Fail!';
exit();
} else {
$db->query(sprintf("UPDATE `users` SET `money`=`money`-'%d' WHERE `userid`='%d'", $_POST['loss'], abs($ir['userid'])));
}

 

Hope that helps abit..

Just remember... sprintf(); does not and I repeat secure queries...

sprintf(); formats... Just remember that

Faz` Newbie

Faz`

Posted
  • Author
Posted

Re: How to secure a few things!

Ah I see, thanks a lot for that, its helped me and will help a lot of people also. Thanks a lot for that!

Miniman Newbie

Miniman

Posted
Posted

Re: How to secure a few things!

SELECT * FROM users WHERE

Why?

Your examples show that you are only needing "faz" from the users table, but that right there is selecting everything. :)

$faz = sprintf("SELECT `faz` FROM `users` WHERE (userid = %u)", $_GET['faz'])

$db->query($faz);

:)

Miniman Newbie

Miniman

Posted
Posted

Re: How to secure a few things!

I think it's very good, you've learnt. And you can now pick up some more stuff :)

People will be able to learn from this, it's clear.

shedh Newbie

shedh

Posted
Posted

Re: How to secure a few things!

lol Faz it's a starting point. Am sure many will read this and hopefully more will be added.

Well done Faz!

Faz` Newbie

Faz`

Posted
  • Author
Posted

Re: How to secure a few things!

Lol thanks a lot. I guess many more people can learn now, I think they are pretty easy to follow (I know, I'm so modest aren't I? :P) so people can do a bit themselves. Which was the whole purpose of it really :)

  • 3 months later...
Guest Sniko`

Guest Sniko`

Posted
Posted

Re: How to secure a few things!

thank this helped me alot +1

  • 2 weeks later...
  • 2 weeks later...
  • 1 month later...
Zero-Affect Newbie

Zero-Affect

Posted
Posted

lmfao Karlos... select *?

 

// post for a example:
 $_POST['numeric'] = (ctype_digit($_POST['numeric'])) ? $_POST['numeric'] : '' ;
   $_POST['example'] = (ctype_alnum($_POST['example'])) ? $_POST['example'] : '' ;
if ( !$_POST['example'] OR !$_POST['numeric'] ) {
   echo 'Invalid Post.';
   $h->endpage();
   exit;
}
elseif ( $_POST['example'] AND $_POST['numeric'] ) {
   $db->query(sprintf('
   UPDATE `table` 
   SET `column` = `column` - %u 
   WHERE `whatever` = %u', 
   mysql_real_escape_string(htmlentities($_POST['example'])), 
   $_POST['numeric']
   ));
}
else {
 echo 'wtf...';
 $h->endpage();
 exit;
}

 

sorry im just bored...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...