Redex Posted December 26, 2009 Share Posted December 26, 2009 Security thread, done to the best of my ability $_GET = an output because it’s getting something from the database. $_POST = input because it’s inputting something into the database Securing numbers abs () - This determines that the number you post is absolute value $_GET[‘number’]= abs($_GET[‘number’]) ; An output because it’s $_GET & abs is makes sure it’s an absolute number McCodes example $_GET[‘ID’]=abs($_GET[‘ID’]); - this is a output because it’s $_GET & abs is making sure the number is a absolute value $_POST[‘ID’] = abs($_POST[‘ID’]); - this is a input because it’s $_POST Intval() intval() – makes sure the number is not a decimal, and is a whole number. $_GET[‘number’]= intval($_GET[‘number’]); - This is an output because it’s $_GET & intval makes sure the number is not a decimal McCodes example echo intval(4.2); // 4 $_POST[‘money’]= intval($_POST[‘money’]); Now, if we want a number which is not a decimal and is a absolute value you have to combine the two options we have above together example $_POST[‘number’]=abs(intval($_POST[‘number’)); McCodes example $_POST[‘money’]= abs(intval($_POST[‘money’])); floatval() floatval ( ) makes sure it’s a floating integer ( any number ) $_GET[‘number’]= floatval($_GET[‘number’]); Mccodes example $_POST[‘money’] = floatval($_POST[‘money’]); $_GET[‘money’] = floatval($_POST[‘money’]); Combine with abs to make the number more secure $_POST[‘money’]= abs(floatval($_POST[‘money’])); $_GET[‘money’]= abs(floatval($_GET[‘money’])); mysql_real_escape_string mysql_real_escape_string - escapes special characters in a string $_POST[‘string’] = mysql_real_escape_string($_POST[‘string’]); Only use mysql_real_escape_string on Input’s $_POST McCodes example $_POST[‘user’] = mysql_real_escape_string($_POST[‘user’]); Stripslashes Stripslashes - strips slashes Example: <?php $example = “ Hello blah what\’s up ? “ echo stripslahses($example); Output would be Hello blah what’s up? htmlspecialchars htmlspecialchars - Convert special characters to HTML entities Example: $link = htmlspecialchars (“<ahref = ‘test.php’> Test </a> “ Htmlentities Htmlentities – converts all applicable characters to html entities <?php $str = "A 'quote' is bold"; echo htmlentities($str); Ip hack how to secure ? fine code $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; in login register header authenticate.php and replace with $IP = mysql_real_escape_string($_SERVER['REMOTE_ADDR']); How to secure cmarket.php ? add this directly under <?php $_GET['ID'] = abs(@intval($_GET['ID'])); Note : The last two only prevent the ip hack and cmarket hack they do not secure the whole file. That’s the end of my tutorial. If there is anything wrong, can the experienced coders please correct it. Thanks, but at least I attempted a tutorial ;) Quote Link to comment Share on other sites More sharing options...
CrazyT Posted December 26, 2009 Share Posted December 26, 2009 lmaoo Fail much? Quote Link to comment Share on other sites More sharing options...
Redex Posted December 26, 2009 Author Share Posted December 26, 2009 I don't quite understand what you mean? Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted December 26, 2009 Share Posted December 26, 2009 lmaoo Fail much? dick much? Quote Link to comment Share on other sites More sharing options...
Danny696 Posted December 26, 2009 Share Posted December 26, 2009 Just some things to tell you about: $_GET is wrong so is $_POST floatval ( ) makes sure it’s a floating integer ( any number ) ROLF!! Floting number Oh and why MRES a number? in login register header authenticate.php Global Func?? Quote Link to comment Share on other sites More sharing options...
Danny696 Posted December 26, 2009 Share Posted December 26, 2009 $_SEVER['HTTP_X_FORWARDED_FOR'] isnt a defined super global anymore, so it will error. Oh and according to your 'tut', your saying: $db->query("SELECT * FROM users WHERE userid={$_GET['ID']}"); is alot different from this query: $db->query("SELECT * FROM users WHERE userid={$_POST['ID']}"); Quote Link to comment Share on other sites More sharing options...
Redex Posted December 26, 2009 Author Share Posted December 26, 2009 I've said from the starting there may be some things wrong in the post, so please correct them. There's no need to pin point them like that, to make me feel ashamed in front of everyone becuase i'm still in the learning process. I understand that there are things wrong with the post, so just correct them, there is no need to ask questions to me saying you think this & that just correct them ! LazyT, you might not think this is the best of security tutorials, but meh i'm not sure many people have a image about you rather than a hacker, who just like to humiliate people. Once again, just keep your heads cool and correct the mistakes, and hopefully all of us can re-join the community in a happy mannered way ;). This is all i have to say, and please do not state your opinion whether you agree or disagree with me on this statement, i just wanted to help the people out there who were requesting security tutorials, and many people were rejecting them ( I'm not saying them people were wrong, they were right in there own ways ) Quote Link to comment Share on other sites More sharing options...
Danny696 Posted December 26, 2009 Share Posted December 26, 2009 $_GET and $_POST is a pre-defined Super Global, It is used to transfer data from one page to another page/step. They are set by using forms (basic HTML), $_GET add the info to the url e.g http://www.mysite.com/index.php?foo=bar $_GET['foo'] would output 'bar'. Where as $_POST does not add it in the url. Quote Link to comment Share on other sites More sharing options...
CrazyT Posted December 26, 2009 Share Posted December 26, 2009 lmao.. @ Redex: 1) I'm no hacker, I'm far from it.... Yeah, i might have messed a few site's up so what? I have a reason to do it back to someone.. I worked for a few games, i have logs of them spamming games i worked for so i done it back. There fault doing it in the first place otherwise it wouldn't of happened. 2) RTFM... is all i have to say.. Quote Link to comment Share on other sites More sharing options...
Redex Posted December 27, 2009 Author Share Posted December 27, 2009 Well in your opinion that's a valid excuse to hack someones game, but that's not what i'm talking about. Just don't go on peoples topic, saying it's bad or you could have done better becuase you did not bother to do it. it's the people who bothered to do it, know how it feels when someone comes and starts flaming there topic, so just keep quiet if you have nothing good to say ;) Quote Link to comment Share on other sites More sharing options...
seanybob Posted December 27, 2009 Share Posted December 27, 2009 Sigh, let's not get into the whole "let's argue with crazy-t" thing again. Redex, good guide. It shows you're learning (and have learned) quite a bit. One major thing to note is that both $_GET and $_POST are inputs. As someone mentioned above me, GET appends the variables to the end of the url, while POST encodes them with the page (in a sense). They are both inputs sent via a form, and the method can be changed in the form declaration. <form method=get action=#> or <form method=post action=#> Keep up the good work! Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted December 27, 2009 Share Posted December 27, 2009 i don't know if this would be a good place to add this but it may help some people. with numeric $_POST or $_GET inputs basically when you know the only thing going to be submitted is numeric then why not simply restrict to numeric... // post example $_POST['example'] = (isset($_POST['example']) AND ctype_digit($_POST['example'])) ? $_POST['example'] : '' ; // get example $_GET['example'] = (isset($_GET['example']) AND ctype_digit($_GET['example'])) ? $_GET['example'] : '' ; Same theory with alpha+numeric or restricted char inputs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.