Jump to content

I will be the first to admit

Recommended Posts

I would like to better secure my script. Man i am just a person like you and sometimes a mistake is made. I suppose i could install vBulletin (this forum) and look at how they secure the user input (but is vBulletin secure?), i am sure it is snugly nestled as one function somewhere in a folder. Maybe Alan would post it. The point is (theres a point?), everyone has this question and it always requires a massive explanation, and almost certainly on every forum, an argument. I know that no matter how secure i think my script is, i am not cocky enough to not want to learn and better secure my applications.

So really, truly and honestly without any flaming or laughing at anyones methods, post an example of you yourself cleaning a variable on your own application.

Maybe in the process, we can learn from real examples and maybe help / teach each other along the way. :)

My example (i am assuming your running mysql_real_escape_string on input already):

Well i needed my users to be able to control where the icons moved along the screen and save where the icon had landed.

Easy enough, later when updating my own code i thought that somehow the icon position update when it landed could be manipulated.

I was expecting digits between 1 (which would be the top left edge of the screen) all the way up to 1900+ depending on screen size (could be bigger).


$pos=($_GET['p'] * 1);
if($pos =< 1) $pos=1; 


$pos stands for the input i was receiving from the user via ajax.

What i am asking the script to do is multiply this supposed integer by one.

If the value of $_GET['p'] is not an integer, or it has a non integer character in front of it, $pos will return zero. Good, thats exactly what i want, i take whatever the user added in and turned it to zero (which i can manipulate).

In the next part i ask the script if the $pos variable is smaller than or equal to one (it would almost never be 0 or 1 in my personal situation of this variable, but i digress), if it is smaller or equal to one, that i say yup, you are one, so if the variable is -5345 * 1 = -5345 * 0 = 0, nope, it equals one. In this situation if a user enters input arbitrarily with the ajax, as far as i can tell, its fully secure, but probably not (refer to first paragraph).

Edited by runthis
Link to comment
Share on other sites

I would use, (using the same variables as yourself)

$pos = abs($_GET['p']);

This will remove any +/- sign, so making sure it is a positive number, and makes sure its a number, although could return a float, which could be worked around with;

$pos = abs(intval($_GET['p']));

Which Im sure we've all seen before, but it does work.

Quick test page I made;

$number = array();
$number[] = 5.2;
$number[] = -5.2;
$number[] = -1;
$number[] = 2535265765264567354675337;

for($i=0;$i<=count($number)-1;$i++) {
   echo abs(intval($number[$i])) . '<br />';

Which returns;





As you can see, you get a whole, positive number from each, except the one which is too large for an integer, if this was a game I was working on, it would be proceeded with an if ($pos <= 0 ) { #tell them } else { #sql }

Link to comment
Share on other sites

First remember. An integers maximum value can vary depending on how many bits your server is.

Maximum int value = (32 bit system: 2147483647) (64 bit system: 9223372036854775807)

Minimum int value = (32 bit system: -2147483647) (64 bit system: -9223372036854775807)

The script you posted in the security thread did its job. But to me it is messy to process multiple data formats/types in one function. Especially when one format/type can have many options. So just for the numeric part I would use something like this.

function numericValue($input,$min='-INF',$max=INF,$float=true,$round=PHP_ROUND_HALF_UP)
       $min = !is_numeric($min) ? -INF : $min;
       $max = !is_numeric($max) ? INF : $max;
       $range = array($min,$max);
       $min = min($range[0],$range[1]);
       $max= max($range[0],$range[1]);

       $input = ($input < $min) ? $min : $input;//range check
       $input = ($input > $max) ? $max : $input;//^^

       if($float == false)
           $input = round($input,0,$round);
       else{}//do nothing because float is still true and we do not care how many decimal places it has

       return $input;
       return false; //so we have the option to know the difference between 0 and fail

Making formating input numbers as simple as this.



//Ahh finally got whitespace to work had to retype everything because the forums bbcode formatter doesn't like copy/pasting.

Edited by bluegman991
Link to comment
Share on other sites

Great replies! Thanks Danny, and Bluegman, i had no idea thanks for sharing the information (especially about the 32bit and 64bity machines, had no clue)! Lucky, i think i will start using the ctype method i previously never used before.

Edit: about the bbcode on this forum Bluegman, you can do the phrase noparse after the php code like this


[noparse]<?php echo 'Hello World!'; ?>[/noparse][/noparse]


To provide that example i did noparse twice so you could see my bbcode, it would return like this


[noparse]<?php echo 'Hello World!'; ?>[/noparse]


The noparse is cool to stop the conversion of smilies, and the removal of the part of the script that stops you from typing in a long string of characters by entering in a space ever so often

Edited by runthis
Link to comment
Share on other sites

I personally use abs(intval()) for numeric and alpha mysql_real_escape_string(htmlentities()) . I use the simplest functions that are already there... Sometime for POST & GET numeric I use

$ids=(isset($_GET['id']) && ctype_digit($_GET['id'])) ? $_GET['id'] : '';

The reason I don't restrict numbers to integers is because when making a function I try to make its behavior the same across platforms. And also the user would not be able to enter a number above or below the maximum and minimum integer value. It also restricts the user from entering in numbers with decimal places which (just like integers above/below the max/min int value) may be wanted.

The reason I don't use abs is also because a negative number maybe required/wanted.

The reason why I don't use ctype digit is because it is merely a preg match, which will verify if every character in the input is a number. This restricts decimals and also numbers in scientific form. It would be a bit more comfortable for the some user when working with numbers above/below max int value.

My function allows for users to enter things like "1e5" which is "100000" (100 thousand). In case there mind may play tricks on them with how many zeros they typed in.

Or "3.579E+7" which is "35790000" (35 million 790 thousand)

It uses only predefined function that are already there, and makes things that much quicker.

With no function you would have to do all this to confirm it is a number.

$ids=(isset($_GET['id']) && ctype_digit($_GET['id'])) ? $_GET['id'] : '';


With my function all you need to do is.



No function range check method

$ids=(isset($_GET['id']) && ctype_digit($_GET['id'])) ? $_GET['id'] : '';
$ids=$ids<0 ? 0 : $ids;
$ids=$ids>50 ? 50 : $ids;


My function range check method



No function limiting decimals

$ids=(isset($_GET['id']) && ctype_digit($_GET['id'])) ? $_GET['id'] : '';


My function limiting decimals



But then again when I create something I aim for versatility and compatibility. But that's just me.

Also thank you runthis for that code snippet as this was not the first time i've had trouble with this forum formatting my posts.

Edited by bluegman991
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...