Isomerizer Posted September 16, 2007 Share Posted September 16, 2007 Hey, So i was going to go through my game and attempt to secure all the variables in every file. Someone said your suppose to secure every single input variables, I thought only mysql query involved variables had to be secured. I was wrong. Anyways i have learnt the mysql_real_escape_string() function, striplash() function and sprintf() function, will using them functions on variables secure them enough? Or are other functions needed? Sorry if this sounds dumb, but i have never really learnt to much of the security side of php. Nows a time to start. Thanks. Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted September 17, 2007 Share Posted September 17, 2007 Re: Securing Variables I'm currently learning some on security and I can definately use some help on this too. I would appreciate any help anybody can give the 2 of us. Quote Link to comment Share on other sites More sharing options...
hamster01 Posted September 17, 2007 Share Posted September 17, 2007 Re: Securing Variables You need to clean the Post and get Super Globals. 1. I suppose you mean 'stripslashes', why would you want to do this, there is no logic to this? 2. Eh.. What does this have to do with security? Here is a list of functions I use to secure input from users. htmlspecialchars, htmlentities, urlencode/_decode, mysql_real_escape_string, and a few I cannot remember. Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted September 17, 2007 Author Share Posted September 17, 2007 Re: Securing Variables You need to clean the Post and get Super Globals. 1. I suppose you mean 'stripslashes', why would you want to do this, there is no logic to this? 2. Eh.. What does this have to do with security? Here is a list of functions I use to secure input from users. htmlspecialchars, htmlentities, urlencode/_decode, mysql_real_escape_string, and a few I cannot remember. Ok, thanks Ferdi. Ive been reading up about them functions, and trying to work out when there needed excactly... This is a part of my authenticate.php (DBS v1) i just re-wrote. $username=htmlspecialchars(mysql_real_escape_string($_POST['username']), ENT_QUOTES); $password=htmlspecialchars(mysql_real_escape_string($_POST['password']), ENT_QUOTES); $uq=mysql_query("SELECT userid FROM users WHERE login_name='$username' AND `userpass`=md5('$password')",$c) or die(mysql_error()); Is this now secure enough? Or am i still missing something? Quote Link to comment Share on other sites More sharing options...
hamster01 Posted September 17, 2007 Share Posted September 17, 2007 Re: Securing Variables You need to clean the Post and get Super Globals. 1. I suppose you mean 'stripslashes', why would you want to do this, there is no logic to this? 2. Eh.. What does this have to do with security? Here is a list of functions I use to secure input from users. htmlspecialchars, htmlentities, urlencode/_decode, mysql_real_escape_string, and a few I cannot remember. Ok, thanks Ferdi. Ive been reading up about them functions, and trying to work out when there needed excactly... This is a part of my authenticate.php (DBS v1) i just re-wrote. $username=htmlspecialchars(mysql_real_escape_string($_POST['username']), ENT_QUOTES); $password=htmlspecialchars(mysql_real_escape_string($_POST['password']), ENT_QUOTES); $uq=mysql_query("SELECT userid FROM users WHERE login_name='$username' AND `userpass`=md5('$password')",$c) or die(mysql_error()); Is this now secure enough? Or am i still missing something? $username = htmlspecialchars($_POST['username']); // You do not want to strip characters from their username, only encode it. $password = md5($_POST['password']); // screw them... $uq = mysql_query("SELECT userid FROM users WHERE login_name='$username' AND `userpass`='$password'",$c) or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted September 17, 2007 Author Share Posted September 17, 2007 Re: Securing Variables Ok i think i am starting to understand, Though i must realise when the functions are needed and when they are not. Hopefully i'll get used to it soon enough :) Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 11, 2007 Share Posted November 11, 2007 Re: Securing Variables I think the easiest would be to just create/find a function that does this, then any time you need to clean a string, just run it through the function :) Quote Link to comment Share on other sites More sharing options...
hamster01 Posted November 11, 2007 Share Posted November 11, 2007 Re: Securing Variables I think the easiest would be to just create/find a function that does this, then any time you need to clean a string, just run it through the function :) Ben . Oakley...? says (04:09 nm): function clean($string) { if (ini_get('magic_quotes_gpc') == 'off') { $string = addslashes($string); } else { $string = mysql_real_escape_string(htmlspecialchars(stripslashes(trim($value)))); } return $string; } He's not stupid, now stop trying to be clever.. Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 11, 2007 Share Posted November 11, 2007 Re: Securing Variables I'm sorry, can you tell me where you quoted that from? I'm fairly sure I didn't read that in this topic. Now, stop trying to argue with all my posts. It's not working :P Quote Link to comment Share on other sites More sharing options...
hamster01 Posted November 11, 2007 Share Posted November 11, 2007 Re: Securing Variables I'm sorry, can you tell me where you quoted that from? I'm fairly sure I didn't read that in this topic. From isomerizer himself. Now, stop trying to argue with all my posts. It's not working :P Oh, f*ck you, you started it.. Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 11, 2007 Share Posted November 11, 2007 Re: Securing Variables It's not in this topic, so how would I know he posted that? I couldn't have known, so there was nothing wrong with my post. Oh, f*ck you, you started it.. Right... care to show me where? I argue with your posts maybe, but I haven't made any personal attacks. So stop taking it personally. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted February 12, 2008 Share Posted February 12, 2008 Re: Securing Variables zeggy do you know what msn is? :? HE QUOTED IT FROM THERE! Quote Link to comment Share on other sites More sharing options...
Zeggy Posted February 17, 2008 Share Posted February 17, 2008 Re: Securing Variables Yeah, but how the hell would I know what they chat about on MSN? Quote Link to comment Share on other sites More sharing options...
Floydian Posted February 17, 2008 Share Posted February 17, 2008 Re: Securing Variables Not sure what the argument is about, but since this thread is back on top again, ya might want to avoid this function: function clean($string) { if (ini_get('magic_quotes_gpc') == 'off') { $string = addslashes($string); } else { $string = mysql_real_escape_string(htmlspecialchars(stripslashes(trim($value)))); } return $string; } lol What good does it do to test if magic quotes is off, and addslashes to it, if when magic quotes IS on, you stripslashes, then do special characters and mysql escape? The out come is totally different based on whether or not magic quotes is on or off. Basically it amounts to this, if magic quotes is off, simulate the effects of magic quotes. If magic quotes is on, compensate for magic quotes by stripping the slashes and doing htmlspecial characters and mysql escape. Secondly, this function is in error because the variable $value is never defined! Here's a better mc code type "clean" function: // database escape and htmlentities function clean($string) { global $c; // if magic quotes is on, strip the slashes it adds if (ini_get('magic_quotes_gpc')) { $string = stripslashes($string); } // remove whitespace from the beginning and end of the string then apply htmlentities and mysql escape $string = mysql_real_escape_string(htmlentities(trim($string)), $c); return $string; } It's important to note that this function, results in the same outcome no matter if magic quotes is on or off. trim, htmlentites, and mysql escape is always applied Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted February 18, 2008 Author Share Posted February 18, 2008 Re: Securing Variables Thanks Floydian, updated my clean function. :-) Quote Link to comment Share on other sites More sharing options...
Floydian Posted February 19, 2008 Share Posted February 19, 2008 Re: Securing Variables You're welcome! I think you came up with the order by rand(), so consider it an even trade :p Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted February 27, 2008 Author Share Posted February 27, 2008 Re: Securing Variables You're welcome! I think you came up with the order by rand(), so consider it an even trade :p Nope, I'm sure that was Deception, hes no longer active on these forums. :-( Quote Link to comment Share on other sites More sharing options...
Floydian Posted February 27, 2008 Share Posted February 27, 2008 Re: Securing Variables lol then ya owe me one :p Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted February 27, 2008 Share Posted February 27, 2008 Re: Securing Variables Just fyi, you don't/shouldn't use htmlentities when you're entering something. If they edit something in their profile, you should insert the data only escaping any quotes - HTML won't do anything to a database. When you output the info (say in their signature), then use it, to spoil any html input they try (like meta redirects or scripts) Quote Link to comment Share on other sites More sharing options...
Floydian Posted February 28, 2008 Share Posted February 28, 2008 Re: Securing Variables There's certainly cases where "internal" data in the form of a string is stored in a db and in that situation I'd certainly not use htmlentities. For instance, when serializing data, applying htmlentities will make the data unusable later on. In my experience, 99% of the strings I store in a db, get displayed at some point. So I fail to see the reason to leave out htmlentities on an escaping function when you know that almost all of the strings you're storing will need the html and javascript neutralized. It's much better than applying it on a case by case basis where you're bound to miss one somewhere. I also fail to see why one would escape individual quotes when you can simply apply a mysql_real_escape_string() function. Then again, I've seen numerous mods that someone coded, then sold, and there was no database protection at all, so I guess your method of escaping individual quotes is better than nothing. :-) All those union select deals people have been doing are a case in point... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.