A small security tutorial, hope its somewhat helpful.

[Guest Null]

Ok, so i'll make this short and simple. Hope it helps. NoTe:(I had this in my own little php book that i use, made it myself, as for security, just learning it.)

+=====================================================================================================================================================+

abs(intval());

Ok, so basically what this does is, abs checks if the number is a value, not a alphabetical character. Intval makes sure the number is a positive number, not a negative.

If a $_GET or $_POST function is meant to be alphanumerical, which means both types, please read ctype_alnum(); Anyway, Heres an example:

$_GET['variable'] = abs(intval($_GET['variable'])); This does all the checks to make sure that the variable is a positive, non-alphabetical number. Same applies to any numerical post's.

 

mysql_real_escape_string();

This helps to stop injecting into forms, urls, but should only be used on alphabetical $_GET or $_POST variables. If you use it on alphanumerical, itll mess up the numbers, as well as plain numerical. anyway, its a built in php function that helps stop, but cannot prevent, as all security can only be 99.9%. Example:

$_GET or $_POST['var'] = mysql_real_escape_string($_GETorPOST['var']);

 

str_replace();

Its more or less a function that allows you to be able to replace strings, but it can be used as a security measure. I recommend Whitelisting over this as this is more or less a blacklist type function. Also, htmlspecialchars, and html entities can probably block the quotes and < > anyway.. and because you cant block out / or \, and is mostly for $_POST. havent found many $_GET's to use str_replace on, as i use different, more secure methods. Example:

str_replace(array("<",">","META","meta","SCRIPT","script"),array("Ha","Ha","Ha","Ha","Ha","Ha"), $_POST['var']);

 

htmlspecialchars();

This strips single quotes, double quotes, and < > from $_POST or $_GET functions. If your going to use this, you might as well use html entities, which will be after this function, as it covers all html, but this is a good thing if you dont want to strip all html characters. Example:

htmlspecialchars($_GETor$_POST['var']); : Strips ' " < > from the variable.

 

htmlentities();

Strips any and all html characters from a alphabetical $_GETor$_POST['var'] Example:

htmlentities($_GETor$_POST['var');

 

ctype_digit();

This, i do not know much about. But i believe it does the same thing as abs(intval());. Example.

if(!ctype_digit($_GETor$_POST['var'] || !abs(intval($_GETor$_POST['var']){

die("Illegal Action");

}

IF the variable isnt a number, or isnt a postive number, this basically calls a die function. You can use other methods than die, if you have your own function for it.

 

ctype_alnum();

This checks if the variable is a alphabetical or numerical character. If it is an html character, it wont let them go through. Basically same as ctype_digit, without the abs(intval());

No example.

 

@ operator: Basically if you add this in front of a function, it surpresses the error, doesnt stop it.

 

sprintf();

More of a format-type function. Can be used on echos,prints,queries, arrays. basically, heres how it would look in a query:

$query = mysql_query(sprintf("SELECT` thestuffuwannaselect` FROM `thetable` WHERE `userid`=%u",$userid));

$fetch = mysql_fetch_row($query);

echo sprintf("Hello, %s",$fetch['username']);

same for print

 

Whitelisting Example:

if(!in_array($_GETor$_POST['var'],array("stuff1","stuff2","stuff3","and it goes on"))){

die("Na-uh!");

}

This basically checks the $_GETor$_POST['var'] of your choice, and if the variable has anything other than wats in the array, itll call a die function.

 

Anyways, i hope this was helpful, hope you learn something. If u need any mods, i do em cheap lol. Peace, gotta go eat dinner.

[Guest cablebox]

Very nice Null! It is going to be very helpful to some beginners.

[Guest Null]

Very nice Null! It is going to be very helpful to some beginners.

Thanks. Yea im taking medium-easy free mod requests. but im not too good at more advanced things.

[Guest cablebox]

Everyone starts off by learning! ;)

[Zeggy]

Actually, int converts the value to a number, and abs converts the number to be positive.

mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers.

ctype_digit is just a function to check if all the characters in a variable are digits. This means decimal and negative numbers do not pass the check. The function returns true or false.

[Guest Null]

Actually, int converts the value to a number, and abs converts the number to be positive.

mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers.

ctype_digit is just a function to check if all the characters in a variable are digits. This means decimal and negative numbers do not pass the check. The function returns true or false.

I believe floatval, maybe like ctype_digit(floatval(var)); might help with decimals but im not entirely sure. As i said im still learning. And as for the mres comment, i meant to say htmlentities messed my numbers up once

[reek13]

Nice Work , keep it up

[Guest Null]

Thanks. I might be releasing a free mod tommorow, just depends if i can get it done with my knowledge

[KDawg08]

Thanks i saved this in wordpad for future reference :)

[Guest Null]

Thats a good idea. Cuz this post aint gonna last 4ever if ppl dont start postin lmao.

[KDawg08]

Lol yeah, Plus anything i find useful or that i like i usually make a wordpad format of it so i have a folder of saved wordpad documents, seperated in folders such as "Game Addons" "Tutorials" "Security" etc.

[Guest Null]

Yea. i have something like that. "Mods","Security Shit","XXX","Family photos","Stuff"

[Shole]

NIce tutorial :D

[Magictallguy]

[...]

mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers.

[...]

1 question, why would you use mysql_real_escape_string() on a numerical value.

It is designed to add backslashes (binary safe) to strings that contain apostrophies and quote marks.

 

$_POST['someText'] = mysql_real_escape_string($_POST['someText']);
mysql_query("INSERT INTO `table` VALUES ('".$_POST['someText']."')") or die(mysql_error());

 

It has no effect on numbers, and therefore is a waste of space in that use ;)

[Zeggy]

1 question, why would you use mysql_real_escape_string() on a numerical value.

It is designed to add backslashes (binary safe) to strings that contain apostrophies and quote marks.

 

$_POST['someText'] = mysql_real_escape_string($_POST['someText']);
mysql_query("INSERT INTO `table` VALUES ('".$_POST['someText']."')") or die(mysql_error());

 

It has no effect on numbers, and therefore is a waste of space in that use ;)

I never said that it is necessary to use it on numbers.

I was just refuting this from the original topic:

If you use it on alphanumerical, itll mess up the numbers, as well as plain numerical.

[Magictallguy]

Fair enough :)