Jump to content
MakeWebGames

Securing Variables


Isomerizer

Recommended Posts

Hey, So i was going to go through my game and attempt to secure all the variables in every file.

Someone said your suppose to secure every single input variables, I thought only mysql query involved variables had to be secured. I was wrong.

Anyways i have learnt the mysql_real_escape_string() function, striplash() function and sprintf() function, will using them functions on variables secure them enough? Or are other functions needed?

Sorry if this sounds dumb, but i have never really learnt to much of the security side of php. Nows a time to start.

Thanks.

Link to comment
Share on other sites

Re: Securing Variables

You need to clean the Post and get Super Globals.

1. I suppose you mean 'stripslashes', why would you want to do this, there is no logic to this?

2. Eh.. What does this have to do with security?

Here is a list of functions I use to secure input from users.

htmlspecialchars, htmlentities, urlencode/_decode, mysql_real_escape_string, and a few I cannot remember.

Link to comment
Share on other sites

Re: Securing Variables

 

You need to clean the Post and get Super Globals.

1. I suppose you mean 'stripslashes', why would you want to do this, there is no logic to this?

2. Eh.. What does this have to do with security?

Here is a list of functions I use to secure input from users.

htmlspecialchars, htmlentities, urlencode/_decode, mysql_real_escape_string, and a few I cannot remember.

 

Ok, thanks Ferdi.

Ive been reading up about them functions, and trying to work out when there needed excactly...

This is a part of my authenticate.php (DBS v1) i just re-wrote.

 

$username=htmlspecialchars(mysql_real_escape_string($_POST['username']), ENT_QUOTES);
$password=htmlspecialchars(mysql_real_escape_string($_POST['password']), ENT_QUOTES);
$uq=mysql_query("SELECT userid FROM users WHERE login_name='$username' AND `userpass`=md5('$password')",$c) or die(mysql_error());

 

Is this now secure enough? Or am i still missing something?

Link to comment
Share on other sites

Re: Securing Variables

 

You need to clean the Post and get Super Globals.

1. I suppose you mean 'stripslashes', why would you want to do this, there is no logic to this?

2. Eh.. What does this have to do with security?

Here is a list of functions I use to secure input from users.

htmlspecialchars, htmlentities, urlencode/_decode, mysql_real_escape_string, and a few I cannot remember.

 

Ok, thanks Ferdi.

 

Ive been reading up about them functions, and trying to work out when there needed excactly...

This is a part of my authenticate.php (DBS v1) i just re-wrote.

 

$username=htmlspecialchars(mysql_real_escape_string($_POST['username']), ENT_QUOTES);
$password=htmlspecialchars(mysql_real_escape_string($_POST['password']), ENT_QUOTES);
$uq=mysql_query("SELECT userid FROM users WHERE login_name='$username' AND `userpass`=md5('$password')",$c) or die(mysql_error());

 

Is this now secure enough? Or am i still missing something?

$username = htmlspecialchars($_POST['username']); // You do not want to strip characters from their username, only encode it.
$password = md5($_POST['password']); // screw them...
$uq = mysql_query("SELECT userid FROM users WHERE login_name='$username' AND `userpass`='$password'",$c) or die(mysql_error());
Link to comment
Share on other sites

  • 1 month later...

Re: Securing Variables

 

I think the easiest would be to just create/find a function that does this, then any time you need to clean a string, just run it through the function :)

 

Ben . Oakley...? says (04:09 nm):

function clean($string)

{

if (ini_get('magic_quotes_gpc') == 'off')

{

$string = addslashes($string);

}

else

{

$string = mysql_real_escape_string(htmlspecialchars(stripslashes(trim($value))));

}

return $string;

}

He's not stupid, now stop trying to be clever..

Link to comment
Share on other sites

Re: Securing Variables

It's not in this topic, so how would I know he posted that?

I couldn't have known, so there was nothing wrong with my post.

 

Oh, f*ck you, you started it..

Right... care to show me where? I argue with your posts maybe, but I haven't made any personal attacks. So stop taking it personally.

Link to comment
Share on other sites

  • 3 months later...

Re: Securing Variables

Not sure what the argument is about, but since this thread is back on top again, ya might want to avoid this function:

 

function clean($string)
 {
if (ini_get('magic_quotes_gpc') == 'off')
 {
   $string = addslashes($string);
 }
   else
 {
   $string = mysql_real_escape_string(htmlspecialchars(stripslashes(trim($value))));
 }
   return $string;
 }

 

lol What good does it do to test if magic quotes is off, and addslashes to it, if when magic quotes IS on, you stripslashes, then do special characters and mysql escape?

The out come is totally different based on whether or not magic quotes is on or off.

Basically it amounts to this, if magic quotes is off, simulate the effects of magic quotes. If magic quotes is on, compensate for magic quotes by stripping the slashes and doing htmlspecial characters and mysql escape.

Secondly, this function is in error because the variable $value is never defined!

Here's a better mc code type "clean" function:

 

// database escape and htmlentities
function clean($string) {

global $c;

       // if magic quotes is on, strip the slashes it adds
if (ini_get('magic_quotes_gpc')) {
	$string = stripslashes($string);
}

       // remove whitespace from the beginning and end of the string then apply htmlentities and mysql escape
$string = mysql_real_escape_string(htmlentities(trim($string)), $c);

return $string;
}

 

It's important to note that this function, results in the same outcome no matter if magic quotes is on or off.

trim, htmlentites, and mysql escape is always applied

Link to comment
Share on other sites

Re: Securing Variables

Just fyi, you don't/shouldn't use htmlentities when you're entering something. If they edit something in their profile, you should insert the data only escaping any quotes - HTML won't do anything to a database.

When you output the info (say in their signature), then use it, to spoil any html input they try (like meta redirects or scripts)

Link to comment
Share on other sites

Re: Securing Variables

There's certainly cases where "internal" data in the form of a string is stored in a db and in that situation I'd certainly not use htmlentities. For instance, when serializing data, applying htmlentities will make the data unusable later on.

In my experience, 99% of the strings I store in a db, get displayed at some point. So I fail to see the reason to leave out htmlentities on an escaping function when you know that almost all of the strings you're storing will need the html and javascript neutralized. It's much better than applying it on a case by case basis where you're bound to miss one somewhere.

I also fail to see why one would escape individual quotes when you can simply apply a mysql_real_escape_string() function. Then again, I've seen numerous mods that someone coded, then sold, and there was no database protection at all, so I guess your method of escaping individual quotes is better than nothing. :-)

All those union select deals people have been doing are a case in point...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...