grant Posted March 30, 2011 Posted March 30, 2011 make a file 5050points.php You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. SQL You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. all secure as far as i know Quote
a_bertrand Posted March 31, 2011 Posted March 31, 2011 I was looking at your SQL only... and soon spotted things you should not have: Line 59 you directly place $_POST[amount] into your query! No way! NEVER EVER place a variable received from the browser directly into a query! So no your code is not secure. Quote
Blade Maker Posted March 31, 2011 Posted March 31, 2011 Yeah if I am wrong correct me as I do not know much about securing, but don't you secure it with mysql_real_escape_string? Quote
a_bertrand Posted March 31, 2011 Posted March 31, 2011 Depends what you want to do. But mysql_real_escape_string is one of the solutions. Quote
grant Posted March 31, 2011 Author Posted March 31, 2011 well v not masted securing yet my self thanks for the heads up on that :D Quote
Dominion Posted March 31, 2011 Posted March 31, 2011 I would assume $_POST['amount'] is a number... you don't use mres on a number. asb(intval()); as you have done in other places would be fine to insure it's a whole number. Quote
ShadyCoco Posted August 27, 2011 Posted August 27, 2011 Ermm. You have _target="blank" why? That'd open a new tab or page depending on browser... Also < href="http://blah.php"> why have http://? simply href="5050.php" would do. Amount and newpoints needs abs(intval()); Also $winner = rand(0,1); could be better with mt_rand() :) And selecting owner from the DB... Use MRES because some people might not have secured thier user name change so this could be a place to exploit it. It's a real nice mod but it's just C/P from money 5050 and changed with points.... Thanks for posting it anyway :) Quote
H4x0r666 Posted August 27, 2011 Posted August 27, 2011 (edited) I was looking at your SQL only... and soon spotted things you should not have: Line 59 you directly place $_POST[amount] into your query! No way! NEVER EVER place a variable received from the browser directly into a query! So no your code is not secure. just use; mysql_real_escape_string($_POST[amount]) and its more secure^^ Edited August 27, 2011 by H4x0r666 oops there was already an answer like this :S sorry.. Quote
rulerofzu Posted August 27, 2011 Posted August 27, 2011 Ooops yes there was already an answer and your still wrong lol Quote
Anonymous Posted August 28, 2011 Posted August 28, 2011 So you ignore the type? Tsk Tsk, I'm sure I taught you better than that :D isset / is_string / ctype_digit - then range check :P /me ducks ;) Quote
ShadyCoco Posted August 29, 2011 Posted August 29, 2011 Ermm never used range check.... Is this how it would work: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Is that about right? Quote
vlad Posted September 10, 2011 Posted September 10, 2011 You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Quote
ShadyCoco Posted September 10, 2011 Posted September 10, 2011 MRES is fcking useless for numbers. inputting $newpoints into DB with little filtering is another fail. Try adding abs(intval()); That will make sure it's a number and nothing else. Sprintf(); is just slowing it down along with all the MRES :S Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.