Zero Identity
Username: Password:
[Forgot Password?] [Not Registered?]

Navigation

Navigation
Challenges
Media
Contribute

ZI Store Updates

Zi Store

Link to UsIf you'd like to become an affilate, please Link to Us!


Online Users

Registered Users: 2016
Latest Registration: yhamrodne
Online Users: 10
(0 Members, 10 Guests)

Poll

What should be done first on the ZI overhaul?
Find more staff (45%) [10 Votes]
Fix all bugs (36%) [8 Votes]
Make new features (not challenges) (9%) [2 Votes]
Get more content (challenges etc) (9%) [2 Votes]

[Poll Archive]

If your shout contains ! in the begining, your links will not be clickable.
If you enter the user's full username, it will be highlighted just for that user.Shoutbox

Kr0wKr0w

Avatar

Last Login:
2012-01-20
Joined:
December 11 2009 01:08
Experience:
2 (16 day(s) ago)
The crashed tables for registration and other stuff is easy to fix (using the Mysql command "REPAIR TABLE").
Kr0wKr0w

Avatar

Last Login:
2012-01-20
Joined:
December 11 2009 01:08
Experience:
2 (17 day(s) ago)
Link Bugs List
ttyler333ttyler333
php coder
Avatar

Last Login:
0000-00-00
Joined:
May 09 2008 01:45
Experience:
1095.2 (18 day(s) ago)
according to a friend the registration doesn't work.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (18 day(s) ago)
Oh hey, the site's back! :)
hack4uhack4u
ZI Owner
Avatar

Last Login:
0000-00-00
Joined:
March 30 2008 22:30
Experience:
20492 (19 day(s) ago)
Please do keep a list of all the bugs. They might eventually get fixed.. lol.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (01 month(s) ago)
What we could do is start compling a list of bugs on the Tasks page, so if and when development resumes the developers know what needs doing.
Kr0wKr0w

Avatar

Last Login:
2012-01-20
Joined:
December 11 2009 01:08
Experience:
2 (02 month(s) ago)
Kewl, the domain renewed another year. :) Any other future plans?
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (02 month(s) ago)
Huh, Kr0w's posts disappeared.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (02 month(s) ago)
I've got no idea. I'll send off an email to one of the admins in a moment to check, since I've been meaning to contact them anyway.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (02 month(s) ago)
There seems to be ~10 guests on most days, but I have no idea if that's genuine users or crawler bots. If they are real users we need to do something to convince them to register.
[Shoutbox Archive]


Icon Zero Identity Forums - General - Web Security - clean the input.


Are you bored? Check out the unaswered threads!

swiftnomad
Administrator
Public Relations

Avatar
ZI Guru

Joined: 04/04/2008
Last Seen: 0000-00-00
Experience: 3463.68
Points: 490
#1 clean the input. on 01/01/1970 00:00
Ok, i am moving an application to div tags and working hard on that, can you guys look at the code and sanitize this for me? I just have so much on my plate and I need to finish this; this weekend.

I'll send some money to your paypal if you can do it for me. Please use:

Code Highlighting :: Select Code

mysql_escape_string() - strings
intval() or (int) - integers



Thanks, i'm still changing a lot of the html and really didn't get into any of the php coding, i know it needs to be done..

i will update my latest version soon, then you guys can check it. :D



Code Highlighting :: Select Code
if (sizeof (problems.txt) > CRITICAL){
    exec("> /dev/null"); }


USER: Hello Tech Support? I can't print...
ME: Try cursive then <hang up>
Grindordie
Administrator
Software Engineer

Avatar
ZI Guru

Joined: 11/04/2007
Last Seen: 0000-00-00
Experience: 1207.57
Points: 1100
#2 Software Engineer on 01/01/1970 00:00
In the config.php file use a function that cleans $_POST, $_GET, $_REQUEST

Code Highlighting :: Select Code
<plaintext><?php
function cleanseInput(&$array)
{
    if(is_array($array))
        foreach($array as $index => $value
            cleanseInput($array[$index]);
    else 
        $array mysql_escape_string($array);
    
}



$myArr = array("non-index'd"
               "indexed" => "my 'value' ",
               "multi-dimensional" => array(5"Grind's"),
               "3d" => array("test" => array("my 'test'")));

print_R($myArr);

cleanseInput($myArr);

print_R($myArr);


Replace $myArr with $_GET, $_POST, $_REQUEST and you're done. :D

Obviously, it's the easy way [without altering every page] but, if you're looking to protect against SQL Injections - that's your solution. It will not protect you from XSS or any other types of attack



That's not a bug, that's an unexpected feature

phpFort - light-weight content management system.
swiftnomad
Administrator
Public Relations

Avatar
ZI Guru

Joined: 04/04/2008
Last Seen: 0000-00-00
Experience: 3463.68
Points: 490
#3 on 01/01/1970 00:00
you fucking whore grind. i swear to fucking god. :P i love you! I didn't even fucking think of that, i'm going to make a switch statement for the paging, and im going to use a library for xss shit..

Code Highlighting :: Select Code
if (sizeof (problems.txt) > CRITICAL){
    exec("> /dev/null"); }


USER: Hello Tech Support? I can't print...
ME: Try cursive then <hang up>
Grindordie
Administrator
Software Engineer

Avatar
ZI Guru

Joined: 11/04/2007
Last Seen: 0000-00-00
Experience: 1207.57
Points: 1100
#4 on 01/01/1970 00:00
Now, please send $1M to my cousin in Nigeria; in 6 months, he will reimburse you with $3M (300% of original investment!!!)

You can do it for XSS too.. but the down-side will be that if you want to see the original value, you will need to convert it back to html entities html_entity_decode() and strip the slashes.

I'm serious, my cousin in Nigeria is legit.
That's not a bug, that's an unexpected feature

phpFort - light-weight content management system.
swiftnomad
Administrator
Public Relations

Avatar
ZI Guru

Joined: 04/04/2008
Last Seen: 0000-00-00
Experience: 3463.68
Points: 490
#5 on 01/01/1970 00:00
so, I did something like this:

Code Highlighting :: Select Code

<?
error_reporting(E_ALL);
function clean_text($text) {

//$text = str_replace("<", "&lt;", $text);
//$text = str_replace(">", "&gt;", $text);
$text strip_tags($text);
$text htmlspecialchars($textENT_NOQUOTES);
$text mysql_escape_string($text);

return $text;
}

?>


here I added this:

Code Highlighting :: Select Code

<?php
include ("conn.php");
include ("db_func.php");
error_reporting(E_ALL);

//////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////ADMIN///////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
$tbl_admin "admin";
$t time();//$t is for the current time.
$q2 "select * from $tbl_admin";
$r2 mysql_query($q2) or die(mysql_error());
$a2 mysql_fetch_array($r2);
$admin_email $a2[adminemail];
$paypalemail $a2[paypalemail];
$site_name $a2[sitename];
$site_title $a2[site_title];
$description $a2[site_desc];
$key $a2[site_key];
$copywright $a2[copywright];
$google_ad $a2[google_ad];
$shiping_cost $a2[shippingcost];
$shiping_free $a2[shippingcost_free];
$currency_symbol $a2[currency_symbol];


$budget=Array("$100","$200","$300","$400","$500","$600","$700-$1000","$1000-$1500","$1000-$2000");
$serviceperiod=Array("3 month","6 month","12 month");



function cleanseInput(&$array

    if(is_array($array)) 
        foreach($array as $index => $value)  
            cleanseInput($array[$index]); 
    else  
        $array mysql_escape_string($array); 

}

?>


and here i am cleaning it.

Code Highlighting :: Select Code

if(isset($_POST[login]))
        {
                cleanseInput($_POST);
                
                $prid=$_POST[prid];
                
                $mail=$_POST['mail'];
                //$mail=clean_text($mail);
                
                $pass=$_POST['pass'];
                //$pass=clean_text($pass);


right?


Code Highlighting :: Select Code
if (sizeof (problems.txt) > CRITICAL){
    exec("> /dev/null"); }


USER: Hello Tech Support? I can't print...
ME: Try cursive then <hang up>
Grindordie
Administrator
Software Engineer

Avatar
ZI Guru

Joined: 11/04/2007
Last Seen: 0000-00-00
Experience: 1207.57
Points: 1100
#6 Software Engineer on 01/01/1970 00:00
Code Highlighting :: Select Code

<?
error_reporting(E_ALL);
function clean_text($text) {

//$text = str_replace("<", "&lt;", $text);
//$text = str_replace(">", "&gt;", $text);
$text strip_tags($text);
$text htmlspecialchars($textENT_NOQUOTES);
$text mysql_escape_string($text);

return $text;
}

?>


Ewwww wtf?
Why would you strip tags then htmlspecialchars() it & not touch the quotes...

Code Highlighting :: Select Code

<?php
function clean_text($string)
{
    return mysql_escape_string(htmlentities($stringENT_QUOTES));
}
?>

"ENT_QUOTES Will convert both double and single quotes"
"htmlentities � Convert all applicable characters to HTML entities"
"mysql_escape_string � Escapes a string for use in a mysql_query"


That's all you need to protect your input. You already parse it before entering into the database, so you don't have to do it later. Beware that if someone gets hold of your db, they can just enter XSS in there and it will be shown on the site (since we're cleansing it before - there is no need to double escape it)


Why are you using cleanInput() only when someone logs in? Wouldn't it be easier to just add clean_text() to those 3 variables?
That's not a bug, that's an unexpected feature

phpFort - light-weight content management system.


Who is watching forums


Users viewing this page: Guests (1)
Users viewing the forum: 0



© 2009 ZeroIdentity.org

Powered by phpFort © 2008
Page generated in 0.062 seconds. :: MySQL Queries: 12