Crystal Market (SECURE)

[Zeggy]

bluegman991:

Yes, to use variables outside a function's scope you need to redefine it, pass it through as a parameter or define it with global.

BUT, $_GET is a superglobal, you do not need to define that anywhere, ever. It is given a value at page load, once you change it with abs or int functions, it will STAY changed no matter the scope. What immortal described is NOT intended behaviour in PHP.

 

Oh, and to select specific columns in an SQL statement:

SELECT `id`, `username`, `any_more_columns` FROM `players`;

[Joshua]

SELECT * FROM

SELECT `userid` FROM

:P

[bluegman991]

$test=$db->query("SELECT `username` FROM users WHERE userid=1");

print "{$test}";

is that right?

if so i get this when i do it

Resource id #20Resource id #23

[Joshua]

And if what you are saying is true Zeggy

Why dont users just go under thE $IP variable in header and define every single get/post there

$_GET['money'] = abs(@intval($_GET['money']));

$_GET['crystals'] = abs(@intval($_GET['crystals']));

$_GET['id'] = abs(@intval($_GET['id']));

$_GET['ID'] = abs(@intval($_GET['ID']));

$_POST['gangname'] = mysql_real_escape_string(htmlentities($_POST['gangname']));

 

etc..etc..etc..

[Joshua]

Or one - up that and make one giant functino that secures all GET and POST variables and slap that in header.

Since it is a super global it should secure the entire site vs sql/xss injections right?

;)

[Zeggy]

I don't use mc codes so I can't really relate to your example.

If it's what I think it is, then yes, you could define your get/post variables in a header file. (Although that would restrict your website in a couple of ways)

What I'm saying isn't an opinion, it's a documented behaviour of PHP:

Several predefined variables in PHP are "superglobals", which means they are available in all scopes throughout a script. There is no need to do global $variable; to access them within functions or methods.

http://php.net/manual/en/language.variables.superglobals.php

[Joshua]

I know the global bit and how it acts

But, I've seen first hand that just sticking a superglobal in header doesnt always stop all sql/xss stuff.

Far be it from me to tell you WHY...but i prefer to just secure each $_POST/$_GET manually >,< slower..but shrugz.

[bluegman991]

$test=$db->query("SELECT `username` FROM users WHERE userid=1");

print "{$test}";

 

is that right?

 

if so i get this when i do it

 

Resource id #18

[Joshua]

$test=$db->query("SELECT `username` FROM users WHERE userid=1");

echo "{$test}";

 

should work, you didnt have a space between usersname and FROM so it was combining the 2

[bluegman991]

nope samething

Resource id #18

[AlabamaHit]

$test = mysql_fetch_array(mysql_query("SELECT username from users where userid = 1");

echo $test;

YOu where missing the array.

[bluegman991]

using what alabamahit said prints this

Array

[Joshua]

roflz...

Is secretly laughing at himself

 

$testing=$db->query("SELECT `username` FROM users WHERE userid=1");

$test=$db->fetch_row($testing);

echo "{$test}";

[bluegman991]

it prints the same thing when i use what u just said immortal :S

Array

[Joshua]

If this doesnt work dont ask me :P lol.

I'm going to go retire now, apparently Ny-Quil and being sick are having a negative impact on my coding >,<

 

$blah=$db->query("SELECT `username` FROM `users` WHERE userid='1'");

$test=$db->fetch_row($blah);

echo "".$test['username']."";

[Zeggy]

Yes of course, it is not practical to secure variables like that in a real application.

Every sql injection is specific to the exact query format. Every xss attack is specific to how values are filtered. And every variable is used differently on every page.

If you could secure get/post variables from a global header, then your website would have to follow a very rigid structure in using url parameters and form values. Sure, it's possible, but probably not for mc codes. If you want to be able to do this, you'd need to start doing this from the very beginning of coding the website.

There is nothing wrong with securing each get/post manually, in fact it's probably better. There's just no use doing it over and over again in each function you define.

I've made a simple test program showing that changing $_GET inside a function makes no difference as changing it outside of a function, eg. at the top of the page:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

If like you said, there are still sql injections happening on your page, then I'm guessing it's because the attacker is using some attack vector that you haven't considered, or you are not correctly securing the variables/queries.

[bluegman991]

that 1 works immortal :)

i didnt know we still needed the ['username'] part

[Joshua]

Dn worry i overlooked it myself >,<

Zeggy I am aware what you are saying, and we arent talking about anyone hacking my site.

What i was referring to is I can go to my header and type....$_POST['withdraw'] == abs(@intval($_POST['withdraw']));

Yet it wont secure every single withdraw on my site, not to the specs in which I wish it to.

 

It "should" But it bugs up at times and their are loopholes.

For all other users reading this post, it's much safer to just secure your variables manually rather than define a secure variable then call to it.

[Guest Null]

Wow this is one of my most famous posts XD! :)

[Zero-Affect]

All very well but the reason why everyone is still going for mc2 is due to the amount of mods listed. Compared to the 0 listed here for horizons then it just looks more appealing.

Horizon Details, not much but still...

Wow this is one of my most famous posts XD! :)

Due to your difficulty to secure something which you claimed was secure, yes...

Zeggy - so $_GET and $_POST can be defined at the top of the file for example

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

$_GET['digits'] still checks if it's numeric so i don't see a issue with redefining it inside the function.

Immortal - you seem to comment on anything involving security i have to ask is it a thirst for knowledge or just simply want a better post count?

[Zeggy]

No, there's no problem with redefining it, except unnecessary repetition:

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

(and depending on how you sanitize the variable, it could change the contents - eg. addslashes done once in global scope and once in each function could have very annoying consequences)

[Joshua]

Thirst for knowledge Zero.

Can't be the best until you can do everything :)

[bluegman991]

if u dont feel like typing $_GET['blah']=abs($_GET['blah']);

u can just put this in global functions

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

then where ever u need to cleanse a $_GET just do this

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

then anytime after that when u print or echo $_GET['blah'] it will output the clean version :D

u can also do this for post

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

[rulerofzu]

cut n paste....saves typing!

[Zero-Affect]

No, there's no problem with redefining it, except unnecessary repetition:

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

(and depending on how you sanitize the variable, it could change the contents - eg. addslashes done once in global scope and once in each function could have very annoying consequences)

Ah right i ain't actually got anything within this size in my game yet but when i do ill remember to redefine lol

 

Thirst for knowledge Zero.

Can't be the best until you can do everything :)

Impossible to know 'Everything' mate.