Joshua Posted January 2, 2011 Posted January 2, 2011 Straight getting annoyed going back through all these files this guy supposedly did. example $qc=$db->query(sprintf("select * from contactlist where cl_ADDER=$userid and cl_ADDED='%s'",$_POST['ID'])); Not only is %s for strings the above should be %u But no need for sprintf and $_POST variable is secured no where in the script Just an example ^ this whole darn file is full of it >,< Quote
Joshua Posted January 2, 2011 Author Posted January 2, 2011 Personally I wouldnt use sprintf on something of this nature at all But %u is for integers where as %s is for strings Obviously $_POST['ID'] is going to be an integer. Quote
Dominion Posted January 3, 2011 Posted January 3, 2011 Straight getting annoyed going back through all these files this guy supposedly did. example $qc=$db->query(sprintf("select * from contactlist where cl_ADDER=$userid and cl_ADDED='%s'",$_POST['ID'])); Not only is %s for strings the above should be %u But no need for sprintf and $_POST variable is secured no where in the script Just an example ^ this whole darn file is full of it >,< Not being funny here but if we are going to openly attack people I will pull up some of your old posts. Mistakes are made. Thanks for the warning it will stay here now lets move on? Quote
Joshua Posted January 3, 2011 Author Posted January 3, 2011 Dominion, the reason that was Pointed out as the person in question called that a secured script, when in fact the $_POST variable is not secured and sprintf is being used improperly ^_- Paul-- I made a habbit when i did like to use sprintf to use %u on integers as the only difference is one is unsigned and one is signed. I see no major problem with either, though one can always learn I suppose. but putting single ' ' around a %s for $_POST['ID'[ (i removed them) is just plain useless. Quote
Paul Evans Posted January 3, 2011 Posted January 3, 2011 %u allows different results when inputting a negative number i believe (i personally don't use sprintf at all on CG so lost track) Quote
Joshua Posted January 3, 2011 Author Posted January 3, 2011 You know you may be correct in that assumption I'm not 100% sure myself, But securing the $_POST variable anywho which is how i always do it rather than use sprintf, stops that. a simple ctype_digit or abs((int) on the $_POST['ID'] is usually where i'd go with it which means if i were to use %u it wouldn't matter if it accepts negative integers anywho. But %s is only for strings, it was just an example as how this person charging to do security has absolutely no idea, and this is one of 4 scripts i've seen that have been altered at all from there original state. Quote
Paul Evans Posted January 3, 2011 Posted January 3, 2011 been awhile but i thought ctype_digit checks for -+ symbols so why use absolute and integer Quote
Joshua Posted January 3, 2011 Author Posted January 3, 2011 I said OR ;) Either or work just the same :P abs((int) or ctype_digit :P Quote
Paul Evans Posted January 3, 2011 Posted January 3, 2011 ah but ctype_digit allowed decimals... so really if your gunna filter properly it would be wise to take that in account Quote
Joshua Posted January 3, 2011 Author Posted January 3, 2011 Just another point of how things are secured differently. Some things that shouldn't be decimals do not need ctype, as where some that do should. same with different variables like BIGINT, i think abs((int) will not work on that as it will only go to 2.14 something or other, i believe. Which is why i've tried to make a habbit to use ctype, however, again, they both work fine :P Quote
Dominion Posted January 4, 2011 Posted January 4, 2011 [infobox] Thread split from http://makewebgames.io/board873/34468-be-warned/ [/infobox] Dominion, the reason that was Pointed out as the person in question called that a secured script, when in fact the $_POST variable is not secured and sprintf is being used improperly ^_- Well it seems at the moment you're just rubbing salt on the wound. We get the point ;) Quote
DylanTimby Posted January 7, 2011 Posted January 7, 2011 Joshua; stop arguing over stupid stuff, other people are open to opinions on different types of coding styles, right or wrong? Cheers, Dylan! Quote
Paul Evans Posted January 7, 2011 Posted January 7, 2011 Technically joshua $var = (isset($var)&&ctype_digit($var))?intval($var):0; i don't get why you post abs((int) seems like your just copying it from somewhere easier to just say abs int... Quote
Dominion Posted January 9, 2011 Posted January 9, 2011 Joshua; stop arguing over stupid stuff, other people are open to opinions on different types of coding styles, right or wrong? There are peoples styles then there’s doing it wrong, for example not securing a $_POST[''] at all is just bad practice, and hardly correct way to claim something is secure (short of me not knowing something since we can only see one line)... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.