Joshua Posted July 28, 2009 Posted July 28, 2009 Ok, so i've been through and through all the posts in Regards to Securing ones site via this forum and a few others. It's common knowledge that you can't secure your site JUST throwing a few lines in Header.php, Login.php, Register.php, and Authenticate.php Here is my request. A lot of you professionals on this board know the Escape strings etc and how to use them. If you could instead of telling us all to use '".mysql_real_escape_string give us a very small Demonstration on the way it looks inserted.. ie.. '".mysql_real_escape_string($_GET['ID'])."'",$c); That way, we can take what you show us and manually go through all our files ( if they aren't lazy ) And at least get some basic defense from your average hackers. I am just now to the point where I can read and Understand the language and write a few basic mods to my mods. But I'm not knowledgeable with writing my own scripts etc. One liners such as $_GET['ID'] = abs((int) $_GET['ID']); Won't 100% secure any site nor will function checkIncomingData($idata, $minsize, $maxsize) { if ( strlen($idata)<$minsize or strlen($idata)>$maxsize ) { return false; } else { return true; } } //make sure that nothing bad can be entered by the user (-->sql injection attack) function cleanIncomingData($idata) { $cleaned = trim($idata); $cleaned = mysql_real_escape_string($cleaned); return $cleaned; } $IP = $_SERVER['REMOTE_ADDR']; function cleanQuery($string) { if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } return $string; } I guess what I'm asking is give us examples of the proper tags and what to use them on. I'm not lazy, I have no problem going through every last one of my files and correcting code, I just am not sure how to insert the codes exactly. If this makes sense and you offer your help, thanks. If not, well, I tried :P Just figured this would end the multiple posts and perhaps be a step in the right direction to securing the po-dunk script that is McCodes >< Quote
CrazyT Posted July 28, 2009 Posted July 28, 2009 Re: A moderate Requests that will Help A lot of forum members. lol.. <?php //remove php tags of course. function cleanQuery($string, $trim = false) { if(is_null($string)) { return $string; } if(is_string($string)) { if(function_exists('mysql_real_escape_string')) { if($trim == true) { return mysql_real_escape_string(trim($string)); } else { return mysql_real_escape_string($string); } } else { if($trim == true) { return mysql_escape_string(trim($string)); } else { return mysql_escape_string($string); } } } return $string; } I use something simular like that^. Example. Sprintf (loads of people use sprintf so ill show you in sprintf()) <?php //just for colors. $sql = sprintf("UPDATE `users` SET `username` = '%s' WHERE (userid = %u)", cleanQuery($_POST['new_username']), $ir['userid']); mysql_query($sql); Without sprintf. <?php //just for colors. mysql_query("UPDATE `users` SET `username` = '". cleanQuery($_POST['new_username']) ."' WHERE (userid = ". $ir['userid'] .")"); But if your using v2 you can just use there function $db->escape() Witch is just. <?php //just for colors. function escape($data) { return mysql_real_escape_string($data, $this->connection_id); } Quote
Joshua Posted July 28, 2009 Author Posted July 28, 2009 Re: A moderate Requests that will Help A lot of forum members. Very helpful T. I use everything I posted and then some I just want to go through every single page I have and change all db->queries to something a bit more secure I was also told that every function that has say...if($irblahblah['yadda']) should be changed to (htmlspecialchars(yaddayadda)) using stripslashes and the likes I've put a lot of time and effort into my game and will continue to do so, I just want to make sure i have it S.E.C.U.R.E as can be before i spend another 2-300.00 on it in advertising. thank you for the advice. Quote
CrazyT Posted July 28, 2009 Posted July 28, 2009 Re: A moderate Requests that will Help A lot of forum members. Only use htmlspecialchars/htmlentites/stripslashes on display.. i use more but ya will help you xD. EG.. <?php // just for colors.... echo "Username: ". htmlspecialchars(stripslashes($ir['username'])); [quote] You can use strip_tags to on going into the database... [url]http://php.net/strip_tags[/url] Quote
CrazyT Posted July 28, 2009 Posted July 28, 2009 Re: A moderate Requests that will Help A lot of forum members. Also you could use preg_match for stuff to ;) For username for example.. <?php //for colors.. if(!preg_match("/^([a-zA-Z0-9._-])+$/", $_POST['new_name'])){ echo "Username can only contain alphanumeric characters, the underscore, dash and period."; } else { //update stuff } Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.