Quck question

Newbie · September 13, 2012

Hello all been doing some research on securing the basic unsecured files in mccodes like cmarket

$_GET['ID'] = abs((int) $_GET['ID']);

would fix that problem

i have been looking at the codes for mccodes v2.b and was wondering if it was better to secure each function like they have

i am running a older version of mccodes as the vb seems bit complicated for me and would have to go through most staff files and edit bits to get it to work the crimes i managed to get that done due to the help of djkanna and that other topic but couldnt understand some of the other files.(ok back on topic)

also is it better to secure it the way they have?

$_GET['ID'] = abs((int) $_GET['ID']); <-- is there a way to bypass this as its written diffrent in v2.b or do they both do the same job

thanks Steve

Octarine · September 13, 2012

$_GET['ID'] = abs((int)$_GET['ID']) is .. for want of a better turn of phrase .. utter madness

1. the resulting $_GET['ID'] might not be an integer contrary to what appears in the code

2. making an implicit assumption about the sign of incoming data

3. Not even bothering to perform type checking which may lead to unwanted information disclosure

4. Clamping the data unnecessarily

It is far better to test for the existence of the ID parameter; check its type (anything other than a string you can "400" the user), then check the contents of the (string) value without coercing or casting it first is within some form of acceptable limits, and finally - though at this stage no longer important, casting it to an integer value prior to using it in a query.

sniko · September 13, 2012

$_GET['ID'] = abs((int)$_GET['ID']) is .. for want of a better turn of phrase .. utter madness
1. the resulting $_GET['ID'] might not be an integer contrary to what appears in the code

2. making an implicit assumption about the sign of incoming data

3. Not even bothering to perform type checking which may lead to unwanted information disclosure

4. Clamping the data unnecessarily

It is far better to test for the existence of the ID parameter; check its type (anything other than a string you can "400" the user), then check the contents of the (string) value without coercing or casting it first is within some form of acceptable limits, and finally - though at this stage no longer important, casting it to an integer value prior to using it in a query.

Following on from this, I created this little thing to test the data-type of something, which you could integrate into your source

<html>
   <head>
       <title>Try (throw) catch</title>
       <style type="text/css">
           #error {
               background: #A85858;
               padding: 5px;
               border: 1px solid #804242;
               width: 30%;   
           }
           #success {
               background: #458042;
               padding: 5px;
               border: 1px solid #4B8042;   
               width: 30%;
           }
       </style>
   </head>

   <body>

   <?php
       /*
           * A bit of error handling
           - Using ttc (try throw catch)

           -- sniko
           -- 10 September 2012
       */


function ttc( $pass ) {
   try {
       if( !is_array($pass) ) {
           throw new Exception('Please pass an array.');   
       } else {

           foreach($pass as $data_type => $value) {

               if( $data_type == 'int' ) {
                   if( !is_int($value) ) {
                       throw new Exception('Wrong data type. (int)');
                   }   
               }
               if( $data_type == 'string' ) {
                   if( !is_string($value) ) {
                       throw new Exception('Wrong data type. (string)');
                   }
               }   
               if( $data_type == 'bool' ) {
                   if( !is_bool($value) ) {
                       throw new Exception('Wrong data type. (bool)');
                   }
               }   
           }

       }
   }

   catch(Exception $e) {
       return "<div id=\"error\">". $e->getMessage() ."</div>";   
   }

}



       $array = array(
                             'int'          => 3,
                             'string'      => 'foobar',
                             'bool'        => FALSE
                     );   

       if( ttc($array) ) {
           echo ttc($array);
       } else {       
           echo "<div id=\"success\">Success!</div> <br />
                 Data types are correct!";
       }
   ?>
   </body>
</html>

Edited September 13, 2012 by sniko

Dayo · September 14, 2012

Y r u using an insecure version when u can DL the secure one? Unless you don't have a licence.

Newbie · September 14, 2012

i do have a license

i also have a copy of the new v2.b but i said above the code is to complicated for me used to the old version

and i don't like the way they done the staff files meaning i would need to add it in from all the database.

Feel free to ask Coldblooded

there was a mess up on my behalf i added the money to my account on mccodes.com then realized that the cash was to be done through paypal

so i contacted cold and we spoke he took the money from my account and then added the license to my account but it wouldn't show so i sent him a screenshot and he send me codes manually

Client Email: [email protected]

domain name: crimeland.org

EDIT: Probz just do it all on older version and transfer the database over this topic can be closed and your still welcome to check my license info is there

Edited September 14, 2012 by Newbie

Sign In

Quck question

Recommended Posts

Newbie

Octarine

sniko

Dayo

Newbie

Join the conversation

Browse

Activity

Hosting