Page 1 of 2

one function for all security threats?

Posted: Mon Feb 26, 2007 6:37 pm
by benyboi
Is there a function which i can pass a variable through which will remove security threats etc? If not can someone point me in the right direction for this.

Thanks

Posted: Mon Feb 26, 2007 6:49 pm
by Luke
yea it's awesome_magical_super_wonder_function() :lol:

Here's a good place to start: viewtopic.php?t=29269

Posted: Mon Feb 26, 2007 6:53 pm
by benyboi
haha :lol: thanks

Posted: Mon Feb 26, 2007 7:12 pm
by benyboi
anyone got any pieces of code which i can try and inject into my site?

thanks

Posted: Mon Feb 26, 2007 7:20 pm
by Jenk
benyboi wrote:anyone got any pieces of code which i can try and inject into my site?

thanks
You will be hard pushed to find anything of that sort from here. :)

Posted: Mon Feb 26, 2007 7:40 pm
by Christopher
The Ninja Space Goat wrote:yea it's awesome_magical_super_wonder_function() :lol:
That has been depricated ... use:

awesome_magical_real_super_wonder_function([mixed $pixiedust])


Seriously, what security measures to take depends on where the data is coming from and were it is going to.

Posted: Mon Feb 26, 2007 7:43 pm
by benyboi
checking a variable which defines what page is to be loaded.
e.g: index.php?page=blah

where the 'blah' bit needs to be checked.

Posted: Mon Feb 26, 2007 7:47 pm
by Christopher
Now we know where the data is from. What are you going to do with $_GET['blah']?

Posted: Mon Feb 26, 2007 7:52 pm
by benyboi
Thats what i was hoping you could help me with!

Posted: Mon Feb 26, 2007 7:56 pm
by feyd
Let me rephrase what arborint asked: Where are you going to put the data now that you have it in $_GET['blah']?

Posted: Mon Feb 26, 2007 7:58 pm
by Christopher
No ... I mean how to you want to use the value. For example, there are cases where you don't need to do anything like:

Code: Select all

if ($_GET['blah'] == '1') {
But if you want to echo the value then:

Code: Select all

echo htmlentities($_GET['blah']);
Or to save in a MySQL database:

Code: Select all

$sql = "UPDATE mytable SET blah='" . mysql_real_escape_string($_GET['blah']) . "' WHERE id=$id";

Posted: Mon Feb 26, 2007 8:17 pm
by benyboi
Ahh i get you...

That made me think tho, i will use a case statement and have all the page names in there and if the user puts in something bad the value won't do anything harmfull!

Hope that works.

Posted: Mon Feb 26, 2007 8:21 pm
by feyd
in_array() and array_search() may be of interest.

Posted: Mon Feb 26, 2007 9:07 pm
by Ambush Commander
anyone got any pieces of code which i can try and inject into my site?
http://ha.ckers.org/xss.html (site's down at the moment, check tomorrow)

However, you'll be hard-pressed to get them to work unless you understand the underlying issues.

Posted: Mon Feb 26, 2007 11:41 pm
by Christopher
benyboi wrote:That made me think tho, i will use a case statement and have all the page names in there and if the user puts in something bad the value won't do anything harmfull!
Short answer -- No. Short suggestion -- Stop. ;)

Your security features need to be a structural part of the various parts of your code: request, response, database, etc. Some super-function with a big case statement in it is like a big neon sign flashing: wrong, wrong, wrong.