Jump to content
MakeWebGames

An introduction to security


Guest Anonymous

Recommended Posts

Re: An introduction to security

When I code for myself, I always have E_ALL set.

The biggest thing that comes up is undefined variables (for me at least).

If you have POST, GET, or REQUEST vars on the page, you should check if they were submitted by using the isset() function.

 

if(!isset($_POST['......']) {
// either put an error message and die, or set a default
} else {
$...... = $_POST['........'];
}

 

The point of that bit of code is that any POST var is checked if it "isset" and if it is, store it in a local variable. Then you should only be using local variables after the POST, GET, or REQUEST arrays have been checked. It actually makes code easier to read as well.

 

mysql_query("update {$_POST['......']} set blah = '{$_POST['......']}' where foo = '{$_POST['......']}'");

or

mysql_query("update $...... set blah = '$........' where foo = '$.........'");

 

Maybe it's just me though... :P

(no this example isn't meant to convey secure db querying...., it's just an example of readability)

Link to post
Share on other sites
Guest Anonymous

Re: An introduction to security

Nope - not just you. I've been using totally sanitized variables in a clean namespace for years now, and yes, not only is it far easier to maintain, it also becomes much easier to read.

Even better - I find that a custom error handler can help here by allowing me to display a clean list of errors at the top of any page but only to me, enabling me to see any errors/warnings that I may have missed, and protecting them from the users's eyes.

Link to post
Share on other sites
  • 3 months later...

Re: An introduction to security

I made an account to reply to this post.

Extremely well written. I'm actually looking at your site now to hire you for some development work. Possibly even some tutoring. Well done indeed. Extremely resourceful. Bookmarked.

Link to post
Share on other sites
  • 2 months later...

Re: An introduction to security

Thanks Haunted, That Did It But 1 Don't Work By Using 'isset()'

Its This One

if ($dosessh && ($_SESSION['attacking'] || $ir['attacking']))

 

^^

I Change To This

if isset($dosessh && ($_SESSION['attacking'] || $ir['attacking']))

I Also Changed It To Many Others Cant Find A Solution

Link to post
Share on other sites

Re: An introduction to security

Sorry I Think I Forgot To Post Enough.

Now Using Your Code It Makes You Loose All Your Exp, And Displays 'You Lost All Your Exp For Running From The Fight'

I Am Using This Code.

if(isset($dosessh) && (isset($_SESSION['attacking']) || isset($ir['attacking'])))
{
print "You lost all your exp for running from the fight.";
$db->query("UPDATE users SET exp=0, attacking=0 WHERE userid=$userid");
$_SESSION['attacking']=0;
}

 

Thanks For You Help Haunted, +1

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...