Jump to content
MakeWebGames

Sql Injections?

Dave

By Dave
in PHP

 Share

Recommended Posts

Dave Community Regular

Dave

Posted
Posted

Im opening a new game (Not publishing the URL yet) but can anyone send me the script or post them below (So all CE users can use them) . i would like the one to stop injecting into cmarket.php which i now is on this forum somewhere but i cant track it down and the one that stops SQL injections into Forums and if you have any other scripts like for the header and register that would be great thanks

if you require payment i may be able to set you up with some good hosting if youve got what i want

BTW im talking about Mccodes V.2

Link to comment
Share on other sites
Analog Newbie

Analog

Posted
Posted

Re: Sql Injections?

Why stop at the markets and forums. Any time data is passed from the user to the system it needs checked out to make sure its safe. I use the following functions to check all data passed.

<?php
// Check $_POST Number
function SecureNumPost($key)
{
	if(isset($_POST[$key]) && is_string($_POST[$key]) && preg_match("`^\d+$`ims", $_POST[$key]))
		{
			$value = @intval($_POST[$key]);
			return $value;
		}
	else
		{
			SecureError($_POST[$key]);
		}
}

// Check $_GET Number
function SecureNumGet($key)
{
	if(isset($_GET[$key]) && is_string($_GET[$key]) && preg_match("`^\d+$`ims", $_GET[$key]))
		{
			$value = @intval($_GET[$key]);
			return $value;
		}
	else
		{
			SecureError($_GET[$key]);
		}
}

//Check $_POST Text
function SecureTextPost($key)
{
	if(isset($_POST[$key]) && is_string($_POST[$key]))
		{
			if(get_magic_quotes_gpc())
				{
					$value = stripslashes($_POST[$key]);
				}
			else
				{
					$value = $_POST[$key];
				}
			return $value;
		}
	else
		{
			SecureError($_POST[$key]);
		}
}

//Check $_GET Text
function SecureTextGet($key)
{
	if(isset($_GET[$key]) && is_string($_GET[$key]))
		{
			if(get_magic_quotes_gpc())
				{
					$value = stripslashes($_GET[$key]);
				}
			else
				{
					$value = $_GET[$key];
				}
			return $value;
		}
	else
		{
			SecureError($_GET[$key]);
		}
}

//Deal with errors from security checks
function SecureError($value)
{
	die("You have tried passing invalid information through our system.");
}
?>
Link to comment
Share on other sites
Floydian Newbie

Floydian

Posted
Posted

Re: Sql Injections?

no offense to TwiztedFake, but applying a humongous function to the entire get and post array just seems a bit inefficient, and would likely cause people to feel safer than they really are.

It's better to custom tailor validation in every instance than attempt to make one catch all.

 

sample code to validate a number:

if (!isset($_GET['id']) or $_GET['id'] < 1) {

echo "Please submit a valid number.";

}

settype($_GET['id'], 'int');

settype could cast the variable to a float by changing the 'int' to 'float'.

 

That's it for numeric fields

for string fields, protecting you database is really as simple as using the mysql_real_escape_string() funtion.

if you don't know this function, I'm not even going to tell you what it does because I want you to read the as much as you possibly can stand to read about it on the php site.

You really really really really need to know exactly what this does, and you really really really really must know exactly why it's used, and if you can't be bothered to look it up, stop coding now, immediately! Or get ready for problems. ;)

Link to comment
Share on other sites
  • 2 weeks later...
Floydian Newbie

Floydian

Posted
Posted

Re: Sql Injections?

That's part of the point of me saying that all these huge custom validation functions are most of the times pointless. Especially when they are meant to act globally, i.e., filtering the get and post array on every page load. How terribly inefficient lol.

 

And yes, PHP has some excellent built in functions.

ctype functions are excellent at picking out certain data types, there are number "is_[type]" functions where type could be, null, integer, float, array, and so on. isset() is one I use A LOTTTT. Especially with if (!isset()) because then I know the variable isn't set. It does make a big deal.

beginning in php 5.2, the filter library is part of the default php code. filter is extremely powerful. imagine validating email without the need for regex functions lol

the same can be done for urls and much more. PHP is very powerful on it's own, and making it more complicated than it has to be is just silly. And Nyna knows I don't like to do that lol

Link to comment
Share on other sites
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: Sql Injections?

Hehe, agreed.

Although I will stick to regular expressions... Why? Simple - I can see *exactly* what I'm doing. In high security environments which I have the pleasure? of working in from time to time, I want to make sure that the validation routines are well documented. The filter functions are a relatively new addition, and being frank, I don't think much of them.

preg_match( ) .. FTW :D

Link to comment
Share on other sites
overklokan Newbie

overklokan

Posted
Posted

Re: Sql Injections?

e-mail filtering is as easy as:

$email = $_REQUEST["e"];

if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) {

echo "Invalid e-mail address!";

}

else {do something}

so far I found no problems with it even some people say it will not filter some

addresses with double or triple @ character (i tried many variations and all were

filtered properly) ... for URL validation there are some problems though, example:

<?php

$url = 'http://...';

var_dump(filter_var($url, FILTER_VALIDATE_URL));

?>

Will display: string(10) "http://..."

http://www.php.net/manual/en/ref.filter.php

Link to comment
Share on other sites
  • 2 weeks later...
Floydian Newbie

Floydian

Posted
Posted

Re: Sql Injections?

Interesting. Is that really an invalid http address? I've seen firefox return error messages along the lines of "this url cannot be resolved" or something to that effect, but with that, I just get the "server not found" error page. I'm prolly wrong, but it seems firefox has no problem with the syntax of that url.

Link to comment
Share on other sites
overklokan Newbie

overklokan

Posted
Posted

Re: Sql Injections?

problem is that .php will not treat it like error ... no error means nothing to trigger messages

like "geeeeeeez man please type your url properly, just once, plizzzzzzzz!" ... user would think

all is fine and go away ... it's about script response, not about validity of url

Link to comment
Share on other sites
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: Sql Injections?

I assuming you are thinking of looking for .php them?

OOPS ;)

I generally use php for source files *outside* of the document root, and phtml or sometimes even the html extension (I control my server, therefore I can handle the types correctly).

In fact, if you look at my site, it's all SEO - no .php, .phtml, .html ...

Soz - have I just made your life more difficult - tee hee ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...