Ishraq Posted June 10, 2010 Share Posted June 10, 2010 open header.php find <?php and add under include("zed.php"); then create a file called zed.php and add <?php //Supplied By Ishz //StockIt //PassItOn //Learn&DontAlwaysDepend // Check $_POST Number function SecureNumPost($key) { if(isset($_POST[$key]) && is_string($_POST[$key]) && preg_match("`^\d+$`ims", $_POST[$key])) { $value = @intval($_POST[$key]); return $value; } else { SecureError($_POST[$key]); } } // Check $_GET Number function SecureNumGet($key) { if(isset($_GET[$key]) && is_string($_GET[$key]) && preg_match("`^\d+$`ims", $_GET[$key])) { $value = @intval($_GET[$key]); return $value; } else { SecureError($_GET[$key]); } } //Check $_POST Text function SecureTextPost($key) { if(isset($_POST[$key]) && is_string($_POST[$key])) { if(get_magic_quotes_gpc()) { $value = stripslashes($_POST[$key]); } else { $value = $_POST[$key]; } return $value; } else { SecureError($_POST[$key]); } } //Check $_GET Text function SecureTextGet($key) { if(isset($_GET[$key]) && is_string($_GET[$key])) { if(get_magic_quotes_gpc()) { $value = stripslashes($_GET[$key]); } else { $value = $_GET[$key]; } return $value; } else { SecureError($_GET[$key]); } } //Deal with errors from security checks function SecureError($value) { die("You have tried passing invalid information through our system."); } ?> Quote Link to comment Share on other sites More sharing options...
corruptcity || skalman Posted June 10, 2010 Share Posted June 10, 2010 this might sound silly but why not just put the funcs in global_funcs? Quote Link to comment Share on other sites More sharing options...
iSOS Posted June 10, 2010 Share Posted June 10, 2010 That fails so bad. function SecureTextPost($key) { if(isset($_POST[$key]) && is_string($_POST[$key])) { if(get_magic_quotes_gpc()) { $value = stripslashes($_POST[$key]); } else { $value = $_POST[$key]; } return $value; } else { SecureError($_POST[$key]); } } //Check $_GET Text function SecureTextGet($key) { if(isset($_GET[$key]) && is_string($_GET[$key])) { if(get_magic_quotes_gpc()) { $value = stripslashes($_GET[$key]); } else { $value = $_GET[$key]; } return $value; } else { SecureError($_GET[$key]); } } All you're doing is stripping slashes if magic_quotes is turned on, where is the "security". The "integer" functions are a little better though, But I do believe I've seen them round here before. Quote Link to comment Share on other sites More sharing options...
Nicholas Posted June 10, 2010 Share Posted June 10, 2010 these addons for header.php, globals.php or wherever, they dont even work do they? i heard they do more damage to games with them on their lol. or have i heard wrong? Quote Link to comment Share on other sites More sharing options...
Djkanna Posted June 10, 2010 Share Posted June 10, 2010 Um false sense of security much? Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 10, 2010 Share Posted June 10, 2010 if(get_magic_quotes_gpc()) { $value = stripslashes($_GET[$key]); } else { $value = $_GET[$key]; } isn't something like that already on MC somewhere, i remember looking at it once and thinking... wtf... Quote Link to comment Share on other sites More sharing options...
Joshua Posted June 10, 2010 Share Posted June 10, 2010 rofl yet another false hope for mccoders. Crime, something very similar to this is actually in globals.php I beleive right under <?php I don't get why people insist on creating quick header inserts or a new file even, to secure their entire game. Secure your code properly and don't worry about it. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 11, 2010 Share Posted June 11, 2010 To be honest i only just looked up magic quotes and it seems like a stupid solution (like haunted dawgs header code) to multiple security issues. Quote Link to comment Share on other sites More sharing options...
Nicholas Posted June 11, 2010 Share Posted June 11, 2010 if your trying to figure out what is similar to this, its on cronwerks forum, someone brought of a script that you add onto like globals.php and appently it will secure all your GET and POST in the game, but it doesnt really secure them i dont think, it just causes errors and glitches on the game on like for example, profile signatures... Quote Link to comment Share on other sites More sharing options...
Joshua Posted June 11, 2010 Share Posted June 11, 2010 <?php session_start(); ob_start(); if(get_magic_quotes_gpc() == 0) { foreach($_POST as $k => $v) { $_POST[$k]=addslashes($v); } foreach($_GET as $k => $v) { $_GET[$k]=addslashes($v); } } The first lines if you open up globals.php ^_- Quote Link to comment Share on other sites More sharing options...
AlabamaHit Posted June 11, 2010 Share Posted June 11, 2010 I've never seen that in a globals.php Quote Link to comment Share on other sites More sharing options...
Joshua Posted June 11, 2010 Share Posted June 11, 2010 Odd...I've never NOT seen that in globals :P Quote Link to comment Share on other sites More sharing options...
AlabamaHit Posted June 11, 2010 Share Posted June 11, 2010 lol :D Quote Link to comment Share on other sites More sharing options...
Guest Posted June 11, 2010 Share Posted June 11, 2010 Looks like your all wrong here sept him. If your escaping data going into the database and have magic quotes, on you DO need to stripslashes, before escaping other wise false sense of security. This is why all of you HAVE to stripslashes on output, you wouldn't need to unless you did it right. ;) - Every mod/code i have saw on here stripslashes = failure. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted June 12, 2010 Share Posted June 12, 2010 There is multiple reasons why magic quotes will be removed in PHP6. I wouldn't suggest using addslashes(), or anything that just adds string formatting rules. There still will be a risk that some characters will not be escaped by this function. I'd rather suggest creating your own function that will find illegal characters and either replace them or handle the request accordingly. Quote Link to comment Share on other sites More sharing options...
Danny696 Posted June 12, 2010 Share Posted June 12, 2010 Mres is better than addslashes i think because it does escapce other chars Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted June 12, 2010 Share Posted June 12, 2010 Id suggest http://www.w3schools.com/PHP/filter_sanitize_string.asp $var = filter_var($var, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES); return $var; used in a private static function. Quote Link to comment Share on other sites More sharing options...
DougK Posted June 17, 2010 Share Posted June 17, 2010 I REALLY don't like the idea of pushing every bit of input you get through a filter and thinking it is good enough. First of all, there may be some cases where you want to be able to use certain characters that would be escaped otherwise. Second, this wouldn't prevent some of the other exploits that are out there. Third, this doesn't in any way verify the input. It is MUCH better, IMO, to check each input as you get it and to sanitize it as needed on an individual basis. Consider the following.... You are using this script to "secure" your site. You don't verify the inputs for preferences.php because you think this "magic script" handles all of that for you and your game is now secure. A malicious user changes their display pic to http://www.yoursite.com/logout.php Now anyone looking at this user's profile is logged out of your game. This script wouldn't prevent that. Likewise, if you had a script that used a posted variable that expects an integer, if you don't verify that the integer entered is valid, you can run into problems. Consider the following..... attack.php sends the weapon you will use (using the item id) in a post variable. You have a super-weapon that is item id 99. A malicious user with no weapons intercepts the post data before it is sent to the server and changes this weapon variable to 99. You don't check the input because you assume this magic script is keeping everything safe. Now this user is attacking with a weapon they don't actually own. In the former case, I would at the very least make sure that the input matched a regular expression that insured that the value was an acceptable image file, and not a script with a query string ending in what looks like and image filename. (http://www.imageshack.us/blahblah/blah.jpg would be OK, but http://www.imageshack.us/blahblahblah/maliciousscript.php?fakeval=blah.jpg would fail) In the latter, I would verify that the user does have the item in question before continuing, and punishing anyone that doesn't have the item. Quote Link to comment Share on other sites More sharing options...
KDawg08 Posted June 17, 2010 Share Posted June 17, 2010 Question... What EXACTLY does this do? It just says "NEW SECURING ADDON" but what is it securing? How is it securing anything? etc. Quote Link to comment Share on other sites More sharing options...
Joshua Posted June 17, 2010 Share Posted June 17, 2010 Basically it is securing "so called" all $_GET and $_POST variables to a mediocre degree. The problem I've seen with this, is a lot of scripts now secure their scripts manually. And "correct me if i'm wrong" I beleive if it is done this way in header or globals or w/e file they choose..then you have another variable in a seperate script secured the same way..they cancel each other out no? Not to mention it won't stop "all" hacks and some $_GET and $_POST variables should be secured according to what they do. i.e if you htmlentities your user name and you arent using span class "which default mccodes isn't" You won't have font colored names you'll have the html code printed out on the screen. However some input is better to have entities or special characthers. Just an example anywho ^ Ignore the O.P. Best advice, Secure scripts as they are written and don't rely on a quick one fix "global" script to secure your entire site, it doesnt exist. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted June 17, 2010 Share Posted June 17, 2010 You are correct there is something's that you would treat differently. Securing functions Unset Then perhaps a fallback for lesser php version (or just tell them to upgrade) It wont do the work itself your still going to need to apply to the code where required. Putting it in a single file or a class means you can see what functions you have and then call them where required. Coding wise its easier to input the function name than type out the whole function again and again. Depends on the style of the coder. Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted June 17, 2010 Share Posted June 17, 2010 I don't see the point in taking this shortcut, Esp with MCCodes. I'd much rather go through all the pages bringing the code up too date and using my own functions to secure each and every page Good attempt but I'd much prefer to go through it all manually Quote Link to comment Share on other sites More sharing options...
BludClart Posted June 17, 2010 Share Posted June 17, 2010 You cany just secure everything through includes, Go round your whole site and just secure EVERY little thing, There is always ways of getting round these includes! Better still just dont use mccodes lol, Rebuild your own engine, I have and believe me i feel like i cant of done anything better, I secured it as i weant along and now i know that its pretty much fully secure to my ability! Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted June 17, 2010 Share Posted June 17, 2010 Is it me or did you double post? lol Quote Link to comment Share on other sites More sharing options...
BludClart Posted June 17, 2010 Share Posted June 17, 2010 Is it me or did you double post? lol Haha i think i did :S Must of been cuz my internet was all messed up :P Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.