Page 1 of 2
one function for all security threats?
Posted: Mon Feb 26, 2007 6:37 pm
by benyboi
Is there a function which i can pass a variable through which will remove security threats etc? If not can someone point me in the right direction for this.
Thanks
Posted: Mon Feb 26, 2007 6:49 pm
by Luke
yea it's awesome_magical_super_wonder_function()
Here's a good place to start:
viewtopic.php?t=29269
Posted: Mon Feb 26, 2007 6:53 pm
by benyboi
haha

thanks
Posted: Mon Feb 26, 2007 7:12 pm
by benyboi
anyone got any pieces of code which i can try and inject into my site?
thanks
Posted: Mon Feb 26, 2007 7:20 pm
by Jenk
benyboi wrote:anyone got any pieces of code which i can try and inject into my site?
thanks
You will be hard pushed to find anything of that sort from here.

Posted: Mon Feb 26, 2007 7:40 pm
by Christopher
The Ninja Space Goat wrote:yea it's awesome_magical_super_wonder_function()
That has been depricated ... use:
awesome_magical_
real_super_wonder_function([mixed $pixiedust])
Seriously, what security measures to take depends on where the data is coming from and were it is going to.
Posted: Mon Feb 26, 2007 7:43 pm
by benyboi
checking a variable which defines what page is to be loaded.
e.g: index.php?page=blah
where the 'blah' bit needs to be checked.
Posted: Mon Feb 26, 2007 7:47 pm
by Christopher
Now we know where the data is from. What are you going to do with $_GET['blah']?
Posted: Mon Feb 26, 2007 7:52 pm
by benyboi
Thats what i was hoping you could help me with!
Posted: Mon Feb 26, 2007 7:56 pm
by feyd
Let me rephrase what arborint asked: Where are you going to put the data now that you have it in $_GET['blah']?
Posted: Mon Feb 26, 2007 7:58 pm
by Christopher
No ... I mean how to you want to use the value. For example, there are cases where you don't need to do anything like:
But if you want to echo the value then:
Or to save in a MySQL database:
Code: Select all
$sql = "UPDATE mytable SET blah='" . mysql_real_escape_string($_GET['blah']) . "' WHERE id=$id";
Posted: Mon Feb 26, 2007 8:17 pm
by benyboi
Ahh i get you...
That made me think tho, i will use a case statement and have all the page names in there and if the user puts in something bad the value won't do anything harmfull!
Hope that works.
Posted: Mon Feb 26, 2007 8:21 pm
by feyd
in_array() and
array_search() may be of interest.
Posted: Mon Feb 26, 2007 9:07 pm
by Ambush Commander
anyone got any pieces of code which i can try and inject into my site?
http://ha.ckers.org/xss.html (site's down at the moment, check tomorrow)
However, you'll be hard-pressed to get them to work unless you understand the underlying issues.
Posted: Mon Feb 26, 2007 11:41 pm
by Christopher
benyboi wrote:That made me think tho, i will use a case statement and have all the page names in there and if the user puts in something bad the value won't do anything harmfull!
Short answer -- No. Short suggestion -- Stop.
Your security features need to be a structural part of the various parts of your code: request, response, database, etc. Some super-function with a big case statement in it is like a big neon sign flashing:
wrong,
wrong,
wrong.