Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Arson]

This function will automatically secure all $_POST and $_GET variables in your mccodes v1 or v2 game with ease.

For MCCodes v2 you will put this function in globals.php (i think, or some other thing that loads on EVERY page of your game)
For MCCodes v1 you will put this function in header.php inside the startheaders function.

Code: [Select]


function anti_inject($campo)
{
    foreach($campo as $key => $val)
    {
        //remove words that contains syntax sql
        $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val);

        //Removes tags html/php
        $val = strip_tags($val);

        //Add slashes
        $val = addslashes($val);

        // store it back into the array
        $campo[$key] = $val;
    }
    return $campo; //Returns the the var clean
} 

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);


Note that this just stops members from injecting through the variables, if the variable is supposed to be a number, you will still need to do something like:

Code: [Select]

$_POST['variable'] = abs($_POST['variable']);
That will keep members from being able to put numbers like 20E+20.

[Miniman]

What is it with people taking the easy way out?
Why don't you just secure every page? There are plenty of help sites out there...

[Arson]

What is it with people taking the easy way out?
Why don't you just secure every page? There are plenty of help sites out there...

That doesn't really make a lot of sense.
The less code you have packed into your scripts the better.

Also, why would you do something the hard way if there is an easy way that is more efficient?
My way, if you make something and forget to secure a variable, no biggie, its already secure.

[Miniman]

But it's not secure, fair enough it may be a tiny bit of an adjustment to the code that could work if you had a 5 year old rooting around for some fun on your site.
But, Dropping tables and manipulating the WHERE clause isn't the only thing you can do, or gain access with. You need to escape some of the data being input not just match it and make sure there is no certain words in there

[Arson]

Code: [Select]



function anti_inject($campo)
{
    foreach($campo as $key => $val)
    {
        //escape the var
        $val = mysql_real_escape_string($val);

        //Removes tags html/php
        $val = strip_tags($val);

        //Add slashes
        $val = addslashes($val);

        // store it back into the array
        $campo[$key] = $val;
    }
    return $campo; //Returns the the var clean
}

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);


Yeah I noticed that Miniman.
Fixed.

[Arson]

You could also probably just do this:

Code: [Select]

function anti_inject($campo)
{
    foreach($campo as $key => $val)
    {
        $val = mysql_real_escape_string($val);
        // store it back into the array
        $campo[$key] = $val;
    }
    return $campo; //Returns the the var clean
}

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);


[Miniman]

htmlentities()

I think it could be used as a nice reassurance, like you said if I missed something then this would still be there working in the background.
Also good for someone who doesn't know how to secure their scripts 

[Arson]

Any way you want to do it.
I'm just trying to help some people out.

[Miniman]

function anti_inject($campo)
{
   return htmlentities(mysql_real_escape_string(trim($campo)));
}

$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);

[Arson]

 

[Miniman]

There we go, Now we have something 

[Miniman]

I just tried it, and they both failed to do anything (used on well known injections)
Might need urlencode()

function anti_inject($campo)
{
    foreach($campo as $key => $val)
    {
        $val = mysql_real_escape_string(htmlentities(urlencode($val)));
        // store it back into the array
        $campo[$key] = $val;
    }
    return $campo; //Returns the the var clean
}

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET)



That works

[strats]

You sure? lol
And that's the code to put in globes?
Where is the best place for me to place it?
top of the page?

[Arson]

You sure? lol
And that's the code to put in globes?
Where is the best place for me to place it?
top of the page?

This works.

Code: [Select]

function anti_inject($campo)
{
    foreach($campo as $key => $val)
    {
        $val = mysql_real_escape_string($val);
        // store it back into the array
        $campo[$key] = $val;
    }
    return $campo; //Returns the the var clean
}

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);

put it by itself, not in something elses brackets. in globals.php should be fine, u can put it at the very bottom of the script right before ?> if that makes it easier

I wouldnt use miniman's thing since it has urlencode in it which changes spaces to + signs. you would have to change the plus signs back into spaces before doing the query i think..which is pointless.
mysql_real_escape_string has always worked for me.

[Miniman]

Worked for me with no 1 test
BUT,  I will figure something better