function MasterSecure;

[Macintrash]

Now i looked here in the forums, and there is a LOT of talk about security. Why not make an official "master cleaner" function that could solve these once and for all? I could do it myself but i want to be sure i got everything right, i have my own game and i write private mods for myself constantly, im a whiz with mccodes, but new php functions usually aren't in my familiarity zone.

So, what i would imagine of course you have your basic post or get data, the function would be easily added to pages, and it has to do everything in one! For your data, You would have something like:

 

$_POST['data'];

 

Right? Yes.

So what would simplify adding security would be to put the variable into a "Master Secure" function of sorts, something like:

 

MasterSecure($_POST['data']);

 

instead of

 

$_POST['data'];

(replace completely with it inside of mastersecure)

Now we are getting somewhere!

But you may think, how will you make it work for strings, integers and such properly? Well, that's where PHP coding comes in :)

You would first write your function, of course. It would have to be in header.php or your global data, i would recommend globals because it can be included in login.php/register.php without issues.

SO, what we need to do is make the variable you added carry into the function:

 

function MasterSecure($var_to_be_cleaned)
{
}

 

So there, now every time you call the function, it will carry your $post or $get INTO IT for cleaning. So now that its going in, how do we know what to clean it with if we don't know what data type it is? Well that's where the BRAIN FART comes in, im not much with those PHP functions off the top of my head, but i know someone is. I could look them up right now but don't know what they're called! But don't worry, PHP is powerful, i know it can be done, and i know its something simple.

So now your function receives your post/get, and checks what data type it is. Now comes the part where you add the IF statements.

 

function MasterSecure($var_to_be_cleaned){

/* Here you check for the datatype so you can decide which if statement to put it through. */

//Use string cleaners, such as strip_tags.
if(data type is string) {
$var_to_be_cleaned = strip_tags('$var_to_be_cleaned'); //I believe it should have the '' around it.
print $var_to_be_cleaned;
}

else if(data type is integer){
$var_to_be_cleaned = abs($var_to_be_cleaned);
print $var_to_be_cleaned;
}
/*Your variable is then spit back out of the function and into your script, cleaned and ready to go! */

}

 

So there we have it, a hopefully working master securer, working for all versions of mccodes.

BELOW: I will be keeping track of the actual function in a script box and will be adding/modifying as i get new posts.

function msecure($var) {

if(is_int($var)) {

print abs(intval($var));

}

else if(is_string($var)

print mysql_real_escape_string($var);

}

else{ print "Warning - Invalid Data"; }

}								

[Danny696]

function msecure($var) {

die('this wont work. secure the whole site.');

}

OR use this

function msecure($var) {

if(is_int($var)) {

return abs(intval($var));

}

else if(is_string($var)

return mysql_real_escape_string($var);

}

else{ return false; }

}

[Macintrash]

die('this wont work. secure the whole site.');

Explain to me why it wont? This IS securing the whole site, isnt it? Im saying go through EVERY script, and add this function around EVERY SINGLE post/get. So really its the same thing as adding abs/strip tags to each one individually, except the function will do it for you. BTW thanks for the is_int! :D

[Dominion]

that will not protect you from xss attacks one master function will not always work however using say 5 to secure your site may if done right

[Equinox]

Lol, this won't secure your site.

[Dominion]

he means one function that does mres and abs(intval etc if its a number like i said won't really work in one (or not the best idea anyway) but 5 or 6 that help secure input and output could work must people are still using magictallguys clean and format functions

[Macintrash]

Im just saying! Using this on your variables instead of figuring out what cleaners to add to them will save a lot of work. Isnt this what your supposed to use to secure a site? I thought stripping tags and such were the best way to secure it, so why not let a function do it for you?

[Dominion]

no its not what you use to secure a whole site in fact its not even near the level you would need as i said 5+ functions could help but one function will not the one you posted is for strings and numbers (mres and abs used) so i want to use html on your site whats stopping me ?

[Danny696]

Two things about this piece of code:

function msecure($var) {

if(is_int($var)) {

print abs(intval($var));

}

else if(is_string($var)

print mysql_real_escape_string($var);

}

else{ print "Warning - Invalid Data"; }

}

 

apart from the fact it wont secure everything,

1) you needa look at functions, use return instead of print

2) use echo instead of print because its faster :)

[Karlos94]

@Macintrash: I shall put this as simple as I can, using one function for all scenarios will not work, you need to filter/sanitize the information differently most of the time.

@Danny696: The only piece advice I see you give is mainly "use echo instead of print", it doesn't matter.. The speed difference is UNNOTICEABLE.

[bluegman991]

just had to bump a year old thread to say that :p

[galdikas]

filter_var($_POST['whatever'],FILTER_VALIDATE_INT)-for integers, 99% of my variables that interaact with DB is integers. And when it comes to strings, there is few functions that I use lol

Using couple diff functions is maybe a bit more difficult.. But I would say a lot more reliable. Because that master function can only determine what type of data is passed, but it will never be able to determine what type of data you EXPECT to be passed. While using filter_var($_POST['whatever'],FILTER_VALIDATE_INT) you tell the script what type of data you need.

[Danny696]

@Danny696: The only piece advice I see you give is mainly "use echo instead of print", it doesn't matter.. The speed difference is UNNOTICEABLE.

Yeh, I realise that now, was a 'phase' where I honestly believed it mattered. :P

 

just had to bump a year old thread to say that :p

Totally un-needed post...

 

filter_var($_POST['whatever'],FILTER_VALIDATE_INT)-for integers, 99% of my variables that interaact with DB is integers.

Where did that fact come from? Its not, about 70-75% of them are.

Also, why are you just validating the int, and not actually sanitizing it? Or did you just see others doing that?

[galdikas]

Have you seen my code to say that? :P Well anyway I may have exagarated 99%.

Sanitize integer??? I was never aware of integer injection lol No really.. I understanf why you would need to sanitize string... But what harm could and integer do???

Edited June 17, 2011 by galdikas

[rulerofzu]

Difference is as so...

For example if your player was trying to sell 100 rotten eggs. They input 100 but their fat fingers type in 100w

If you just validate it will simply error.

If you sanitize first and then validate it will remove the user error (w) and process the 100.

[galdikas]

filter_var($var,FILTER_VALIDATE_INT) will not let anything through unless it is integer it would not validate 100w... it would not even let through 10 0 (with spaces in it or before or after it). Basicaly if it is anything else than integer it will not set that variable :)

[Danny696]

Yes, I know exacally what it does, but I'm asking why not just sanatize it, instead of just validating it, and doing nothing, which most people on here do, for example, $userid = filter_var($_POST['userid'], FILTER_VALIDATE_INT); then dont check if it actually validated or not.

[rulerofzu]

filter_var($var,FILTER_VALIDATE_INT) will not let anything through unless it is integer it would not validate 100w... it would not even let through 10 0 (with spaces in it or before or after it). Basicaly if it is anything else than integer it will not set that variable :)

Did you read what i posted? If you sanitize first then it would remove the w thus proceeding to the validate. Its called making your code more user friendly. If they happen to make a slight mistake the code accounts for it. Id rather help my players than just giving them an error message.

[Karlos94]

$int = '100w';

$int += 0;

echo $int; // 100

echo gettype($int); // integer

 

Something I've picked up from a_bertrand

Edited June 18, 2011 by Karlos94

[galdikas]

Did you read what i posted? If you sanitize first then it would remove the w thus proceeding to the validate. Its called making your code more user friendly. If they happen to make a slight mistake the code accounts for it. Id rather help my players than just giving them an error message.

I thought we were talking about security :)

If the input actually gets typed in by user, the I sanitize as well. But if input gets generated by the code, but can easily be tampered with by users ($_GET parameter in url, or hidden input in form via POST I never sanitize.) But in lets say gym, where user actually is requored o type stuff in then I do sanitize :)

[a_bertrand]

Just as info, hidden input via post are as insecure as $_GET parameters. So are cookies as well. So basically whatever comes from the browser MUST be checked. Also, security is not limited to SQL injections or XSS hacks, you may also simply have users which tries to access areas they should not (like reading messages of somebody else) or do bad actions. So you really have to check on each page and it depends on the page itself. A "catch all" is ok for XSS / SQL injections but not for the others.