Jump to content
MakeWebGames

Quck question


Newbie

Recommended Posts

Hello all been doing some research on securing the basic unsecured files in mccodes like cmarket

$_GET['ID'] = abs((int) $_GET['ID']);

would fix that problem

i have been looking at the codes for mccodes v2.b and was wondering if it was better to secure each function like they have

i am running a older version of mccodes as the vb seems bit complicated for me and would have to go through most staff files and edit bits to get it to work the crimes i managed to get that done due to the help of djkanna and that other topic but couldnt understand some of the other files.(ok back on topic)

also is it better to secure it the way they have?

$_GET['ID'] = abs((int) $_GET['ID']); <-- is there a way to bypass this as its written diffrent in v2.b or do they both do the same job

thanks Steve

Link to comment
Share on other sites

$_GET['ID'] = abs((int)$_GET['ID']) is .. for want of a better turn of phrase .. utter madness

1. the resulting $_GET['ID'] might not be an integer contrary to what appears in the code

2. making an implicit assumption about the sign of incoming data

3. Not even bothering to perform type checking which may lead to unwanted information disclosure

4. Clamping the data unnecessarily

It is far better to test for the existence of the ID parameter; check its type (anything other than a string you can "400" the user), then check the contents of the (string) value without coercing or casting it first is within some form of acceptable limits, and finally - though at this stage no longer important, casting it to an integer value prior to using it in a query.

Link to comment
Share on other sites

$_GET['ID'] = abs((int)$_GET['ID']) is .. for want of a better turn of phrase .. utter madness

1. the resulting $_GET['ID'] might not be an integer contrary to what appears in the code

2. making an implicit assumption about the sign of incoming data

3. Not even bothering to perform type checking which may lead to unwanted information disclosure

4. Clamping the data unnecessarily

It is far better to test for the existence of the ID parameter; check its type (anything other than a string you can "400" the user), then check the contents of the (string) value without coercing or casting it first is within some form of acceptable limits, and finally - though at this stage no longer important, casting it to an integer value prior to using it in a query.

Following on from this, I created this little thing to test the data-type of something, which you could integrate into your source

<html>
   <head>
       <title>Try (throw) catch</title>
       <style type="text/css">
           #error {
               background: #A85858;
               padding: 5px;
               border: 1px solid #804242;
               width: 30%;   
           }
           #success {
               background: #458042;
               padding: 5px;
               border: 1px solid #4B8042;   
               width: 30%;
           }
       </style>
   </head>

   <body>

   <?php
       /*
           * A bit of error handling
           - Using ttc (try throw catch)

           -- sniko
           -- 10 September 2012
       */


function ttc( $pass ) {
   try {
       if( !is_array($pass) ) {
           throw new Exception('Please pass an array.');   
       } else {

           foreach($pass as $data_type => $value) {

               if( $data_type == 'int' ) {
                   if( !is_int($value) ) {
                       throw new Exception('Wrong data type. (int)');
                   }   
               }
               if( $data_type == 'string' ) {
                   if( !is_string($value) ) {
                       throw new Exception('Wrong data type. (string)');
                   }
               }   
               if( $data_type == 'bool' ) {
                   if( !is_bool($value) ) {
                       throw new Exception('Wrong data type. (bool)');
                   }
               }   
           }

       }
   }

   catch(Exception $e) {
       return "<div id=\"error\">". $e->getMessage() ."</div>";   
   }

}



       $array = array(
                             'int'          => 3,
                             'string'      => 'foobar',
                             'bool'        => FALSE
                     );   

       if( ttc($array) ) {
           echo ttc($array);
       } else {       
           echo "<div id=\"success\">Success!</div> <br />
                 Data types are correct!";
       }
   ?>
   </body>
</html>
Edited by sniko
Link to comment
Share on other sites

i do have a license

i also have a copy of the new v2.b but i said above the code is to complicated for me used to the old version

and i don't like the way they done the staff files meaning i would need to add it in from all the database.

Feel free to ask Coldblooded

there was a mess up on my behalf i added the money to my account on mccodes.com then realized that the cash was to be done through paypal

so i contacted cold and we spoke he took the money from my account and then added the license to my account but it wouldn't show so i sent him a screenshot and he send me codes manually

Client Email: [email protected]

domain name: crimeland.org

EDIT: Probz just do it all on older version and transfer the database over this topic can be closed and your still welcome to check my license info is there

Edited by Newbie
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...