Macintrash Posted July 23, 2010 Share Posted July 23, 2010 Now i looked here in the forums, and there is a LOT of talk about security. Why not make an official "master cleaner" function that could solve these once and for all? I could do it myself but i want to be sure i got everything right, i have my own game and i write private mods for myself constantly, im a whiz with mccodes, but new php functions usually aren't in my familiarity zone. So, what i would imagine of course you have your basic post or get data, the function would be easily added to pages, and it has to do everything in one! For your data, You would have something like: $_POST['data']; Right? Yes. So what would simplify adding security would be to put the variable into a "Master Secure" function of sorts, something like: MasterSecure($_POST['data']); instead of $_POST['data']; (replace completely with it inside of mastersecure) Now we are getting somewhere! But you may think, how will you make it work for strings, integers and such properly? Well, that's where PHP coding comes in :) You would first write your function, of course. It would have to be in header.php or your global data, i would recommend globals because it can be included in login.php/register.php without issues. SO, what we need to do is make the variable you added carry into the function: function MasterSecure($var_to_be_cleaned) { } So there, now every time you call the function, it will carry your $post or $get INTO IT for cleaning. So now that its going in, how do we know what to clean it with if we don't know what data type it is? Well that's where the BRAIN FART comes in, im not much with those PHP functions off the top of my head, but i know someone is. I could look them up right now but don't know what they're called! But don't worry, PHP is powerful, i know it can be done, and i know its something simple. So now your function receives your post/get, and checks what data type it is. Now comes the part where you add the IF statements. function MasterSecure($var_to_be_cleaned){ /* Here you check for the datatype so you can decide which if statement to put it through. */ //Use string cleaners, such as strip_tags. if(data type is string) { $var_to_be_cleaned = strip_tags('$var_to_be_cleaned'); //I believe it should have the '' around it. print $var_to_be_cleaned; } else if(data type is integer){ $var_to_be_cleaned = abs($var_to_be_cleaned); print $var_to_be_cleaned; } /*Your variable is then spit back out of the function and into your script, cleaned and ready to go! */ } So there we have it, a hopefully working master securer, working for all versions of mccodes. BELOW: I will be keeping track of the actual function in a script box and will be adding/modifying as i get new posts. function msecure($var) { if(is_int($var)) { print abs(intval($var)); } else if(is_string($var) print mysql_real_escape_string($var); } else{ print "Warning - Invalid Data"; } } Quote Link to comment Share on other sites More sharing options...
Danny696 Posted July 23, 2010 Share Posted July 23, 2010 function msecure($var) { die('this wont work. secure the whole site.'); } OR use this function msecure($var) { if(is_int($var)) { return abs(intval($var)); } else if(is_string($var) return mysql_real_escape_string($var); } else{ return false; } } Quote Link to comment Share on other sites More sharing options...
Macintrash Posted July 23, 2010 Author Share Posted July 23, 2010 die('this wont work. secure the whole site.'); Explain to me why it wont? This IS securing the whole site, isnt it? Im saying go through EVERY script, and add this function around EVERY SINGLE post/get. So really its the same thing as adding abs/strip tags to each one individually, except the function will do it for you. BTW thanks for the is_int! :D Quote Link to comment Share on other sites More sharing options...
Dominion Posted July 24, 2010 Share Posted July 24, 2010 that will not protect you from xss attacks one master function will not always work however using say 5 to secure your site may if done right Quote Link to comment Share on other sites More sharing options...
Equinox Posted July 24, 2010 Share Posted July 24, 2010 Lol, this won't secure your site. Quote Link to comment Share on other sites More sharing options...
Dominion Posted July 24, 2010 Share Posted July 24, 2010 he means one function that does mres and abs(intval etc if its a number like i said won't really work in one (or not the best idea anyway) but 5 or 6 that help secure input and output could work must people are still using magictallguys clean and format functions Quote Link to comment Share on other sites More sharing options...
Macintrash Posted July 25, 2010 Author Share Posted July 25, 2010 Im just saying! Using this on your variables instead of figuring out what cleaners to add to them will save a lot of work. Isnt this what your supposed to use to secure a site? I thought stripping tags and such were the best way to secure it, so why not let a function do it for you? Quote Link to comment Share on other sites More sharing options...
Dominion Posted July 25, 2010 Share Posted July 25, 2010 no its not what you use to secure a whole site in fact its not even near the level you would need as i said 5+ functions could help but one function will not the one you posted is for strings and numbers (mres and abs used) so i want to use html on your site whats stopping me ? Quote Link to comment Share on other sites More sharing options...
Danny696 Posted July 25, 2010 Share Posted July 25, 2010 Two things about this piece of code: function msecure($var) { if(is_int($var)) { print abs(intval($var)); } else if(is_string($var) print mysql_real_escape_string($var); } else{ print "Warning - Invalid Data"; } } apart from the fact it wont secure everything, 1) you needa look at functions, use return instead of print 2) use echo instead of print because its faster :) Quote Link to comment Share on other sites More sharing options...
Karlos94 Posted June 17, 2011 Share Posted June 17, 2011 @Macintrash: I shall put this as simple as I can, using one function for all scenarios will not work, you need to filter/sanitize the information differently most of the time. @Danny696: The only piece advice I see you give is mainly "use echo instead of print", it doesn't matter.. The speed difference is UNNOTICEABLE. Quote Link to comment Share on other sites More sharing options...
bluegman991 Posted June 17, 2011 Share Posted June 17, 2011 just had to bump a year old thread to say that :p Quote Link to comment Share on other sites More sharing options...
galdikas Posted June 17, 2011 Share Posted June 17, 2011 filter_var($_POST['whatever'],FILTER_VALIDATE_INT)-for integers, 99% of my variables that interaact with DB is integers. And when it comes to strings, there is few functions that I use lol Using couple diff functions is maybe a bit more difficult.. But I would say a lot more reliable. Because that master function can only determine what type of data is passed, but it will never be able to determine what type of data you EXPECT to be passed. While using filter_var($_POST['whatever'],FILTER_VALIDATE_INT) you tell the script what type of data you need. Quote Link to comment Share on other sites More sharing options...
Danny696 Posted June 17, 2011 Share Posted June 17, 2011 @Danny696: The only piece advice I see you give is mainly "use echo instead of print", it doesn't matter.. The speed difference is UNNOTICEABLE. Yeh, I realise that now, was a 'phase' where I honestly believed it mattered. :P just had to bump a year old thread to say that :p Totally un-needed post... filter_var($_POST['whatever'],FILTER_VALIDATE_INT)-for integers, 99% of my variables that interaact with DB is integers. Where did that fact come from? Its not, about 70-75% of them are. Also, why are you just validating the int, and not actually sanitizing it? Or did you just see others doing that? Quote Link to comment Share on other sites More sharing options...
galdikas Posted June 17, 2011 Share Posted June 17, 2011 (edited) Have you seen my code to say that? :P Well anyway I may have exagarated 99%. Sanitize integer??? I was never aware of integer injection lol No really.. I understanf why you would need to sanitize string... But what harm could and integer do??? Edited June 17, 2011 by galdikas Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted June 17, 2011 Share Posted June 17, 2011 Difference is as so... For example if your player was trying to sell 100 rotten eggs. They input 100 but their fat fingers type in 100w If you just validate it will simply error. If you sanitize first and then validate it will remove the user error (w) and process the 100. Quote Link to comment Share on other sites More sharing options...
galdikas Posted June 17, 2011 Share Posted June 17, 2011 filter_var($var,FILTER_VALIDATE_INT) will not let anything through unless it is integer it would not validate 100w... it would not even let through 10 0 (with spaces in it or before or after it). Basicaly if it is anything else than integer it will not set that variable :) Quote Link to comment Share on other sites More sharing options...
Danny696 Posted June 17, 2011 Share Posted June 17, 2011 Yes, I know exacally what it does, but I'm asking why not just sanatize it, instead of just validating it, and doing nothing, which most people on here do, for example, $userid = filter_var($_POST['userid'], FILTER_VALIDATE_INT); then dont check if it actually validated or not. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted June 18, 2011 Share Posted June 18, 2011 filter_var($var,FILTER_VALIDATE_INT) will not let anything through unless it is integer it would not validate 100w... it would not even let through 10 0 (with spaces in it or before or after it). Basicaly if it is anything else than integer it will not set that variable :) Did you read what i posted? If you sanitize first then it would remove the w thus proceeding to the validate. Its called making your code more user friendly. If they happen to make a slight mistake the code accounts for it. Id rather help my players than just giving them an error message. Quote Link to comment Share on other sites More sharing options...
Karlos94 Posted June 18, 2011 Share Posted June 18, 2011 (edited) $int = '100w'; $int += 0; echo $int; // 100 echo gettype($int); // integer Something I've picked up from a_bertrand Edited June 18, 2011 by Karlos94 Quote Link to comment Share on other sites More sharing options...
galdikas Posted June 18, 2011 Share Posted June 18, 2011 Did you read what i posted? If you sanitize first then it would remove the w thus proceeding to the validate. Its called making your code more user friendly. If they happen to make a slight mistake the code accounts for it. Id rather help my players than just giving them an error message. I thought we were talking about security :) If the input actually gets typed in by user, the I sanitize as well. But if input gets generated by the code, but can easily be tampered with by users ($_GET parameter in url, or hidden input in form via POST I never sanitize.) But in lets say gym, where user actually is requored o type stuff in then I do sanitize :) Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted June 18, 2011 Share Posted June 18, 2011 Just as info, hidden input via post are as insecure as $_GET parameters. So are cookies as well. So basically whatever comes from the browser MUST be checked. Also, security is not limited to SQL injections or XSS hacks, you may also simply have users which tries to access areas they should not (like reading messages of somebody else) or do bad actions. So you really have to check on each page and it depends on the page itself. A "catch all" is ok for XSS / SQL injections but not for the others. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.