jon182 Posted November 22, 2009 Posted November 22, 2009 Ok everyone says $db->query(" bla blah blah"); is insecure and $query=("blah blah blah");$db->$query; is safe so would there be any way to go into globals and change all $db->query(" bla blah blah"); to $query=("blah blah blah");$db->$query; ?? sorry im not the greatest when it comes to making things absolutely secure (though i do have many protections set up) Quote
Gucci Mane Posted November 22, 2009 Posted November 22, 2009 I am NOT a coder but I think it is like this: $query $db->query(" bla blah blah"); Quote
Mcfarlin Posted November 22, 2009 Posted November 22, 2009 i think you would have to do it more like this [mysql]$abc=$db->query("bla bla bla"); while($r=$db->fetch_row($abc)) { print //your content here with a call to $r will get the info from the above $db->query } [/mysql] small edit, typing to fast. lol Quote
Danny696 Posted November 22, 2009 Posted November 22, 2009 i think you mean something like this: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); Quote
Djkanna Posted November 22, 2009 Posted November 22, 2009 i think you mean something like this: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); That has nothing to do with security either 8| In fact nothing on this topic does :whistling: Quote
Danny696 Posted November 22, 2009 Posted November 22, 2009 Hmm, i never said it secured it, just saying what they ment to say ;) Quote
Zero-Affect Posted November 22, 2009 Posted November 22, 2009 i think you mean something like this: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); Hmm, i never said it secured it, just saying what they ment to say ;) so that is secure? I am sorry but people who make these assumptions to sprintf get hacked because of people telling them sprintf is secure... Yours: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); Mine: // only ever select the columns from the table you want to use // never * unless your selecting the entire amount of columns and using them all. $query = $db->query(sprintf(' SELECT `column1`, `column3`, `column10` FROM `users` WHERE `userid` = %u', $userid)); while ($what = $db->fetch_row($query)) { echo ' column1 = '.$what['column1'].' column3 = '.$what['column3'].' column10 = '.$what['column10'].' '; } Quote
Danny696 Posted November 22, 2009 Posted November 22, 2009 Your the one making assumptions show me where i said that sprintf will secure your site. -.- didnt think ya could. the TP said; $query=("blah blah blah");$db->$query; i was correcting them, get your facts rite, then come back. Quote
Zero-Affect Posted November 22, 2009 Posted November 22, 2009 i think you mean something like this: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); Hmm, i never said it secured it, just saying what they ment to say ;) i think you mean something like this: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); That has nothing to do with security either 8| In fact nothing on this topic does :whistling: i think you mean something like this: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); Hmm, i never said it secured it, just saying what they ment to say ;) so that is secure? I am sorry but people who make these assumptions to sprintf get hacked because of people telling them sprintf is secure... Yours: $query = sprintf("SELECT * FROM users WHERE userid=%u", $userid); $db->query($query); Mine: // only ever select the columns from the table you want to use // never * unless your selecting the entire amount of columns and using them all. $query = $db->query(sprintf(' SELECT `column1`, `column3`, `column10` FROM `users` WHERE `userid` = %u', $userid)); while ($what = $db->fetch_row($query)) { echo ' column1 = '.$what['column1'].' column3 = '.$what['column3'].' column10 = '.$what['column10'].' '; } Your the one making assumptions show me where i said that sprintf will secure your site. -.- didnt think ya could. the TP said; $query=("blah blah blah");$db->$query; i was correcting them, get your facts rite, then come back. I believe you may have misunderstood me i never once said you said it was secure i was just specifying that it is not secure. It may have came across abit anti-social due to me using your code for an example then correcting it. Sorry about that. But there is no need in that sort of reply i was genuinely just trying to help the Original Poster i do not see how a negative reply from you would help in the slightest. Quote
jon182 Posted November 22, 2009 Author Posted November 22, 2009 Ok i was just using that as a quick example. my question still stands though. could i go into my globals and change All $db->query("SELECT * FROM users WHERE userid=$userid"); into $query = (sprintf("SELECT * FROM `users` WHERE `userid` = %u', $userid"); $db->$query; Quote
kaine- Posted November 23, 2009 Posted November 23, 2009 i do not have no security at all on my game yet and i need some anyone got any? Quote
Zero-Affect Posted November 23, 2009 Posted November 23, 2009 Ok i was just using that as a quick example. my question still stands though. could i go into my globals and change All $db->query("SELECT * FROM users WHERE userid=$userid"); into $query = (sprintf("SELECT * FROM `users` WHERE `userid` = %u', $userid"); $db->$query; Sprintf is basically a filter your only filtering the $userid which most likely is already protected, there is no real (Quick) way of securing any website, unless you code it from scratch. One of the main risks with using someone elses engine for your website is that you put alot of trust into someone elses work. Consider this, just because it cost you 300 bucks doesn't mean it's worth it. MCC is exploitable in many aspects i would suggest using the search option on the forum for ideas on security then cross referencing with php.net the commands used. Yes you can go into globals and change the queries but it still doesn't mean it will be secure. Quote
AlabamaHit Posted November 29, 2009 Posted November 29, 2009 Example for userid $db->query("SELECT `userid`, `username` FROM `users` WHERE `userid` = %u",abs(@intval($ir['userid']))); Example for username $db->query("SELECT `userid`, `username` FROM `users` WHERE `username` = '%s'",stripslashes($ir['username'])); That of course is is you have mres your usernames... Quote
Djkanna Posted December 3, 2009 Posted December 3, 2009 AlabamaHit: Why abs(@intval()) on the $ir['userid'] ? What about stripslashes(htmlspecialchars()) on the username or even htmlentities() ? Quote
Zero-Affect Posted December 18, 2009 Posted December 18, 2009 wow now that's abit silly You hopefully do not allow specific chars in username? Your calling from $ir which i would believe to be a secure source unless you define the $ir array used. considering your using a outside source ie: $ir['userid'] = $_GET['userid']; // defining $ir['userid'] as $_GET['userid'] should alternatively be set out like so: $ir['userid'] = (ctype_digit($_GET['userid']) AND !empty($_GET['userid'])) ? $_GET['userid'] : '' ; and would work like so: $ir['userid'] = (ctype_digit($_GET['userid']) AND !empty($_GET['userid'])) ? $_GET['userid'] : '' ; if ( !$ir['userid'] ) { // if begin echo 'not happening buddy!'; } // if end else { // else begin $query = $db->query(sprintf(' SELECT `column1`, `column3`, `column10` FROM `users` WHERE `userid` = %u', $ir['userid'])); while ($what = $db->fetch_row($query)) { // while begin echo ' column1 = '.$what['column1'].' column3 = '.$what['column3'].' column10 = '.$what['column10'].' '; } // while end } // else end Quote
Djkanna Posted December 18, 2009 Posted December 18, 2009 wow now that's abit silly Was that directed at me? If so why what's silly? Quote
Zero-Affect Posted December 19, 2009 Posted December 19, 2009 i just explained above exactly why... Quote
Floydian Posted December 19, 2009 Posted December 19, 2009 Hey jon182, there is no difference between the two lines of code below: $db->query('blah blah blah'); $string = 'blah blah blah'; $db->query($string); Securing a query requires knowing what the exploits/voulnerabilities are and how to secure them. It's taken me years to really get a good handle on it. If you have more specific code examples of queries that may or may not be secure, those can be looked at on an individual basis to see if they are secure. Hope that helps. Quote
Djkanna Posted December 19, 2009 Posted December 19, 2009 i just explained above exactly why... I understand that but I was just asking AlabamaHit why he has put abs(@intval()) on the $ir['userid'] when it's not at all needed.. The stripslashes question was my mistake, it's in a query not on output.. Sorry but the other is still unneeded (not to mention the use of %u without sprintf()..) Quote
Zero-Affect Posted December 19, 2009 Posted December 19, 2009 i was referring to Alabama and you for the stripslashes comment, i apologize if it in anyway belittled you. Quote
AlabamaHit Posted December 19, 2009 Posted December 19, 2009 The no sprintf was a typo. It obviously was supposed to be there. lol Now, people saying that my code was wrong cause i use 'userid' as an "Example"... come on guys. I'm not holding hands here. That all is just an example how to format, and keep numbers positive. The stripslashes. Was just a 'tip' on words.. cause one would assume that they are securing the stuff on the entering of the DB. Of course if your not. Then don't use stipslashes. lol. Small tip to Zero (not meaning offensive). You might want to check into not putting array in a loop. It will slow your codes down. Quote
Zero-Affect Posted December 20, 2009 Posted December 20, 2009 $ir['userid'] is protected so... and using %d / %u ints the numeric chars... i believe Loop referring to the While? $ir['userid'] = (ctype_digit($_GET['userid']) AND !empty($_GET['userid'])) ? $_GET['userid'] : '' ; if ( !$ir['userid'] ) { // if begin echo 'not happening buddy!'; } // if end else { // else begin $query = $db->query(sprintf(' SELECT `column1`, `column3`, `column10` FROM `users` WHERE `userid` = %u', $ir['userid'])); $what = $db->fetch_row($query); echo ' column1 = '.$what['column1'].' column3 = '.$what['column3'].' column10 = '.$what['column10'].' '; } // else end good point lol while would only work if the output from the query was more than one Quote
Djkanna Posted December 20, 2009 Posted December 20, 2009 i was referring to Alabama and you for the stripslashes comment, i apologize if it in anyway belittled you. You can belittle me all you like for the Stripslashes comment (Even I feel stupid about that one -.- xD) Quote
Zeggy Posted December 21, 2009 Posted December 21, 2009 Replying to the original topic: Yes, it is possible to do that. You would probably need to write some regular expression or a script to do that for you though, it's not simply search and replace. However, securing your queries really depends on the type of query you are securing. There is no catch-all security technique to secure everything, so doing the above would be both a waste of time and counter-productive (and if done wrong, could leave your site even more vulnerable than before). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.