Dave Posted April 12, 2008 Share Posted April 12, 2008 Im opening a new game (Not publishing the URL yet) but can anyone send me the script or post them below (So all CE users can use them) . i would like the one to stop injecting into cmarket.php which i now is on this forum somewhere but i cant track it down and the one that stops SQL injections into Forums and if you have any other scripts like for the header and register that would be great thanks if you require payment i may be able to set you up with some good hosting if youve got what i want BTW im talking about Mccodes V.2 Quote Link to comment Share on other sites More sharing options...
mdshare Posted April 12, 2008 Share Posted April 12, 2008 Re: Sql Injections? Do a forum search and you would be amazed how many times it has been posted already. Quote Link to comment Share on other sites More sharing options...
Analog Posted April 13, 2008 Share Posted April 13, 2008 Re: Sql Injections? Why stop at the markets and forums. Any time data is passed from the user to the system it needs checked out to make sure its safe. I use the following functions to check all data passed. <?php // Check $_POST Number function SecureNumPost($key) { if(isset($_POST[$key]) && is_string($_POST[$key]) && preg_match("`^\d+$`ims", $_POST[$key])) { $value = @intval($_POST[$key]); return $value; } else { SecureError($_POST[$key]); } } // Check $_GET Number function SecureNumGet($key) { if(isset($_GET[$key]) && is_string($_GET[$key]) && preg_match("`^\d+$`ims", $_GET[$key])) { $value = @intval($_GET[$key]); return $value; } else { SecureError($_GET[$key]); } } //Check $_POST Text function SecureTextPost($key) { if(isset($_POST[$key]) && is_string($_POST[$key])) { if(get_magic_quotes_gpc()) { $value = stripslashes($_POST[$key]); } else { $value = $_POST[$key]; } return $value; } else { SecureError($_POST[$key]); } } //Check $_GET Text function SecureTextGet($key) { if(isset($_GET[$key]) && is_string($_GET[$key])) { if(get_magic_quotes_gpc()) { $value = stripslashes($_GET[$key]); } else { $value = $_GET[$key]; } return $value; } else { SecureError($_GET[$key]); } } //Deal with errors from security checks function SecureError($value) { die("You have tried passing invalid information through our system."); } ?> Quote Link to comment Share on other sites More sharing options...
Floydian Posted April 13, 2008 Share Posted April 13, 2008 Re: Sql Injections? no offense to TwiztedFake, but applying a humongous function to the entire get and post array just seems a bit inefficient, and would likely cause people to feel safer than they really are. It's better to custom tailor validation in every instance than attempt to make one catch all. sample code to validate a number: if (!isset($_GET['id']) or $_GET['id'] < 1) { echo "Please submit a valid number."; } settype($_GET['id'], 'int'); settype could cast the variable to a float by changing the 'int' to 'float'. That's it for numeric fields for string fields, protecting you database is really as simple as using the mysql_real_escape_string() funtion. if you don't know this function, I'm not even going to tell you what it does because I want you to read the as much as you possibly can stand to read about it on the php site. You really really really really need to know exactly what this does, and you really really really really must know exactly why it's used, and if you can't be bothered to look it up, stop coding now, immediately! Or get ready for problems. ;) Quote Link to comment Share on other sites More sharing options...
overklokan Posted April 24, 2008 Share Posted April 24, 2008 Re: Sql Injections? no one speaking about PHP in-built functions to do the job? http://www.phpro.org/tutorials/Filterin ... h-PHP.html http://devzone.zend.com/node/view/id/1113 Quote Link to comment Share on other sites More sharing options...
Floydian Posted April 24, 2008 Share Posted April 24, 2008 Re: Sql Injections? That's part of the point of me saying that all these huge custom validation functions are most of the times pointless. Especially when they are meant to act globally, i.e., filtering the get and post array on every page load. How terribly inefficient lol. And yes, PHP has some excellent built in functions. ctype functions are excellent at picking out certain data types, there are number "is_[type]" functions where type could be, null, integer, float, array, and so on. isset() is one I use A LOTTTT. Especially with if (!isset()) because then I know the variable isn't set. It does make a big deal. beginning in php 5.2, the filter library is part of the default php code. filter is extremely powerful. imagine validating email without the need for regex functions lol the same can be done for urls and much more. PHP is very powerful on it's own, and making it more complicated than it has to be is just silly. And Nyna knows I don't like to do that lol Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted April 24, 2008 Share Posted April 24, 2008 Re: Sql Injections? Hehe, agreed. Although I will stick to regular expressions... Why? Simple - I can see *exactly* what I'm doing. In high security environments which I have the pleasure? of working in from time to time, I want to make sure that the validation routines are well documented. The filter functions are a relatively new addition, and being frank, I don't think much of them. preg_match( ) .. FTW :D Quote Link to comment Share on other sites More sharing options...
Floydian Posted April 25, 2008 Share Posted April 25, 2008 Re: Sql Injections? Nothing wrong with that. We'll flesh them out for you ;) Or I will if no one else will lol. Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted April 25, 2008 Share Posted April 25, 2008 Re: Sql Injections? LMAO - Nortiness :D Quote Link to comment Share on other sites More sharing options...
overklokan Posted April 26, 2008 Share Posted April 26, 2008 Re: Sql Injections? e-mail filtering is as easy as: $email = $_REQUEST["e"]; if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) { echo "Invalid e-mail address!"; } else {do something} so far I found no problems with it even some people say it will not filter some addresses with double or triple @ character (i tried many variations and all were filtered properly) ... for URL validation there are some problems though, example: <?php $url = 'http://...'; var_dump(filter_var($url, FILTER_VALIDATE_URL)); ?> Will display: string(10) "http://..." http://www.php.net/manual/en/ref.filter.php Quote Link to comment Share on other sites More sharing options...
Floydian Posted May 6, 2008 Share Posted May 6, 2008 Re: Sql Injections? Interesting. Is that really an invalid http address? I've seen firefox return error messages along the lines of "this url cannot be resolved" or something to that effect, but with that, I just get the "server not found" error page. I'm prolly wrong, but it seems firefox has no problem with the syntax of that url. Quote Link to comment Share on other sites More sharing options...
overklokan Posted May 6, 2008 Share Posted May 6, 2008 Re: Sql Injections? problem is that .php will not treat it like error ... no error means nothing to trigger messages like "geeeeeeez man please type your url properly, just once, plizzzzzzzz!" ... user would think all is fine and go away ... it's about script response, not about validity of url Quote Link to comment Share on other sites More sharing options...
Floydian Posted May 7, 2008 Share Posted May 7, 2008 Re: Sql Injections? I hear where you're coming from ;) Of course if you wanted to know if the page is a .php page, you can regex that after using the filter to validate the url as a valid url ;) Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted May 7, 2008 Share Posted May 7, 2008 Re: Sql Injections? I assuming you are thinking of looking for .php them? OOPS ;) I generally use php for source files *outside* of the document root, and phtml or sometimes even the html extension (I control my server, therefore I can handle the types correctly). In fact, if you look at my site, it's all SEO - no .php, .phtml, .html ... Soz - have I just made your life more difficult - tee hee ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.