grant Posted March 30, 2011 Share Posted March 30, 2011 make a file 5050points.php You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. SQL You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. all secure as far as i know Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted March 31, 2011 Share Posted March 31, 2011 I was looking at your SQL only... and soon spotted things you should not have: Line 59 you directly place $_POST[amount] into your query! No way! NEVER EVER place a variable received from the browser directly into a query! So no your code is not secure. Quote Link to comment Share on other sites More sharing options...
Blade Maker Posted March 31, 2011 Share Posted March 31, 2011 Yeah if I am wrong correct me as I do not know much about securing, but don't you secure it with mysql_real_escape_string? Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted March 31, 2011 Share Posted March 31, 2011 Depends what you want to do. But mysql_real_escape_string is one of the solutions. Quote Link to comment Share on other sites More sharing options...
grant Posted March 31, 2011 Author Share Posted March 31, 2011 well v not masted securing yet my self thanks for the heads up on that :D Quote Link to comment Share on other sites More sharing options...
Dominion Posted March 31, 2011 Share Posted March 31, 2011 I would assume $_POST['amount'] is a number... you don't use mres on a number. asb(intval()); as you have done in other places would be fine to insure it's a whole number. Quote Link to comment Share on other sites More sharing options...
ShadyCoco Posted August 27, 2011 Share Posted August 27, 2011 Ermm. You have _target="blank" why? That'd open a new tab or page depending on browser... Also < href="http://blah.php"> why have http://? simply href="5050.php" would do. Amount and newpoints needs abs(intval()); Also $winner = rand(0,1); could be better with mt_rand() :) And selecting owner from the DB... Use MRES because some people might not have secured thier user name change so this could be a place to exploit it. It's a real nice mod but it's just C/P from money 5050 and changed with points.... Thanks for posting it anyway :) Quote Link to comment Share on other sites More sharing options...
H4x0r666 Posted August 27, 2011 Share Posted August 27, 2011 (edited) I was looking at your SQL only... and soon spotted things you should not have: Line 59 you directly place $_POST[amount] into your query! No way! NEVER EVER place a variable received from the browser directly into a query! So no your code is not secure. just use; mysql_real_escape_string($_POST[amount]) and its more secure^^ Edited August 27, 2011 by H4x0r666 oops there was already an answer like this :S sorry.. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted August 27, 2011 Share Posted August 27, 2011 Ooops yes there was already an answer and your still wrong lol Quote Link to comment Share on other sites More sharing options...
Anonymous Posted August 28, 2011 Share Posted August 28, 2011 So you ignore the type? Tsk Tsk, I'm sure I taught you better than that :D isset / is_string / ctype_digit - then range check :P /me ducks ;) Quote Link to comment Share on other sites More sharing options...
Anonymous Posted August 28, 2011 Share Posted August 28, 2011 hehe . 1 Quote Link to comment Share on other sites More sharing options...
ShadyCoco Posted August 29, 2011 Share Posted August 29, 2011 Ermm never used range check.... Is this how it would work: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Is that about right? Quote Link to comment Share on other sites More sharing options...
vlad Posted September 10, 2011 Share Posted September 10, 2011 You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Quote Link to comment Share on other sites More sharing options...
ShadyCoco Posted September 10, 2011 Share Posted September 10, 2011 MRES is fcking useless for numbers. inputting $newpoints into DB with little filtering is another fail. Try adding abs(intval()); That will make sure it's a number and nothing else. Sprintf(); is just slowing it down along with all the MRES :S Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.