Guest Null Posted January 23, 2010 Share Posted January 23, 2010 Ok, so i'll make this short and simple. Hope it helps. NoTe:(I had this in my own little php book that i use, made it myself, as for security, just learning it.) +=====================================================================================================================================================+ abs(intval()); Ok, so basically what this does is, abs checks if the number is a value, not a alphabetical character. Intval makes sure the number is a positive number, not a negative. If a $_GET or $_POST function is meant to be alphanumerical, which means both types, please read ctype_alnum(); Anyway, Heres an example: $_GET['variable'] = abs(intval($_GET['variable'])); This does all the checks to make sure that the variable is a positive, non-alphabetical number. Same applies to any numerical post's. mysql_real_escape_string(); This helps to stop injecting into forms, urls, but should only be used on alphabetical $_GET or $_POST variables. If you use it on alphanumerical, itll mess up the numbers, as well as plain numerical. anyway, its a built in php function that helps stop, but cannot prevent, as all security can only be 99.9%. Example: $_GET or $_POST['var'] = mysql_real_escape_string($_GETorPOST['var']); str_replace(); Its more or less a function that allows you to be able to replace strings, but it can be used as a security measure. I recommend Whitelisting over this as this is more or less a blacklist type function. Also, htmlspecialchars, and html entities can probably block the quotes and < > anyway.. and because you cant block out / or \, and is mostly for $_POST. havent found many $_GET's to use str_replace on, as i use different, more secure methods. Example: str_replace(array("<",">","META","meta","SCRIPT","script"),array("Ha","Ha","Ha","Ha","Ha","Ha"), $_POST['var']); htmlspecialchars(); This strips single quotes, double quotes, and < > from $_POST or $_GET functions. If your going to use this, you might as well use html entities, which will be after this function, as it covers all html, but this is a good thing if you dont want to strip all html characters. Example: htmlspecialchars($_GETor$_POST['var']); : Strips ' " < > from the variable. htmlentities(); Strips any and all html characters from a alphabetical $_GETor$_POST['var'] Example: htmlentities($_GETor$_POST['var'); ctype_digit(); This, i do not know much about. But i believe it does the same thing as abs(intval());. Example. if(!ctype_digit($_GETor$_POST['var'] || !abs(intval($_GETor$_POST['var']){ die("Illegal Action"); } IF the variable isnt a number, or isnt a postive number, this basically calls a die function. You can use other methods than die, if you have your own function for it. ctype_alnum(); This checks if the variable is a alphabetical or numerical character. If it is an html character, it wont let them go through. Basically same as ctype_digit, without the abs(intval()); No example. @ operator: Basically if you add this in front of a function, it surpresses the error, doesnt stop it. sprintf(); More of a format-type function. Can be used on echos,prints,queries, arrays. basically, heres how it would look in a query: $query = mysql_query(sprintf("SELECT` thestuffuwannaselect` FROM `thetable` WHERE `userid`=%u",$userid)); $fetch = mysql_fetch_row($query); echo sprintf("Hello, %s",$fetch['username']); same for print Whitelisting Example: if(!in_array($_GETor$_POST['var'],array("stuff1","stuff2","stuff3","and it goes on"))){ die("Na-uh!"); } This basically checks the $_GETor$_POST['var'] of your choice, and if the variable has anything other than wats in the array, itll call a die function. Anyways, i hope this was helpful, hope you learn something. If u need any mods, i do em cheap lol. Peace, gotta go eat dinner. Quote Link to comment Share on other sites More sharing options...
Guest cablebox Posted January 23, 2010 Share Posted January 23, 2010 Very nice Null! It is going to be very helpful to some beginners. Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 23, 2010 Share Posted January 23, 2010 Very nice Null! It is going to be very helpful to some beginners. Thanks. Yea im taking medium-easy free mod requests. but im not too good at more advanced things. Quote Link to comment Share on other sites More sharing options...
Guest cablebox Posted January 23, 2010 Share Posted January 23, 2010 Everyone starts off by learning! ;) Quote Link to comment Share on other sites More sharing options...
Zeggy Posted January 24, 2010 Share Posted January 24, 2010 Actually, int converts the value to a number, and abs converts the number to be positive. mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers. ctype_digit is just a function to check if all the characters in a variable are digits. This means decimal and negative numbers do not pass the check. The function returns true or false. Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 24, 2010 Share Posted January 24, 2010 Actually, int converts the value to a number, and abs converts the number to be positive. mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers. ctype_digit is just a function to check if all the characters in a variable are digits. This means decimal and negative numbers do not pass the check. The function returns true or false. I believe floatval, maybe like ctype_digit(floatval(var)); might help with decimals but im not entirely sure. As i said im still learning. And as for the mres comment, i meant to say htmlentities messed my numbers up once Quote Link to comment Share on other sites More sharing options...
reek13 Posted January 24, 2010 Share Posted January 24, 2010 Nice Work , keep it up Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 24, 2010 Share Posted January 24, 2010 Thanks. I might be releasing a free mod tommorow, just depends if i can get it done with my knowledge Quote Link to comment Share on other sites More sharing options...
KDawg08 Posted January 24, 2010 Share Posted January 24, 2010 Thanks i saved this in wordpad for future reference :) Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 24, 2010 Share Posted January 24, 2010 Thats a good idea. Cuz this post aint gonna last 4ever if ppl dont start postin lmao. Quote Link to comment Share on other sites More sharing options...
KDawg08 Posted January 24, 2010 Share Posted January 24, 2010 Lol yeah, Plus anything i find useful or that i like i usually make a wordpad format of it so i have a folder of saved wordpad documents, seperated in folders such as "Game Addons" "Tutorials" "Security" etc. Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 24, 2010 Share Posted January 24, 2010 Yea. i have something like that. "Mods","Security Shit","XXX","Family photos","Stuff" Quote Link to comment Share on other sites More sharing options...
Shole Posted February 20, 2010 Share Posted February 20, 2010 NIce tutorial :D Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted February 20, 2010 Share Posted February 20, 2010 [...] mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers. [...] 1 question, why would you use mysql_real_escape_string() on a numerical value. It is designed to add backslashes (binary safe) to strings that contain apostrophies and quote marks. $_POST['someText'] = mysql_real_escape_string($_POST['someText']); mysql_query("INSERT INTO `table` VALUES ('".$_POST['someText']."')") or die(mysql_error()); It has no effect on numbers, and therefore is a waste of space in that use ;) Quote Link to comment Share on other sites More sharing options...
Zeggy Posted February 21, 2010 Share Posted February 21, 2010 1 question, why would you use mysql_real_escape_string() on a numerical value. It is designed to add backslashes (binary safe) to strings that contain apostrophies and quote marks. $_POST['someText'] = mysql_real_escape_string($_POST['someText']); mysql_query("INSERT INTO `table` VALUES ('".$_POST['someText']."')") or die(mysql_error()); It has no effect on numbers, and therefore is a waste of space in that use ;) I never said that it is necessary to use it on numbers. I was just refuting this from the original topic: If you use it on alphanumerical, itll mess up the numbers, as well as plain numerical. Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted February 21, 2010 Share Posted February 21, 2010 Fair enough :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.