Zero Identity - General - Web Security - clean the input.

Username: Password: [Forgot Password?] [Not Registered?]

Navigation

Navigation

Challenges

Media

Contribute

ZI Store Updates

Zi Store

Link to UsIf you'd like to become an affilate, please Link to Us!

Online Users

Registered Users: 1426

Latest Registration: gohan

Online Users: 10
(0 Members, 10 Guests)

Poll

If your shout contains ! in the begining, your links will not be clickable.
If you enter the user's full username, it will be highlighted just for that user.Shoutbox

rohansingh47rohansingh47

Last Login:
10 year(s) ago
Joined:
07/17/2008 05:41
Experience:
1005.63 (04 day(s) ago)

hi @vs4vijay what's up

3l_f3n1x3l_f3n1x

Last Login:
10 year(s) ago
Joined:
08/05/2008 22:56
Experience:
276.43 (05 day(s) ago)

what's up?

vs4vijayvs4vijay

Last Login:
10 year(s) ago
Joined:
10/02/2008 06:41
Experience:
1070.77 (07 day(s) ago)

hello buddies...

3l_f3n1x3l_f3n1x

Last Login:
10 year(s) ago
Joined:
08/05/2008 22:56
Experience:
276.43 (21 day(s) ago)

I often visit ZI to see if there's some activity, but I always find it pretty much dead

Last Login:
10 year(s) ago
Joined:
03/30/2008 18:30
Experience:
19699.95 (21 day(s) ago)

hey hows everyone doing. just checking in to see if people are still alive.

swiftnomadswiftnomad

Public Relations

Last Login:
10 year(s) ago
Joined:
04/04/2008 13:35
Experience:
3274.18 (23 day(s) ago)

@el3v3nty , what's up? @mrdotkom, what's up?

[Shoutbox Archive]

Zero Identity Forums - General - Web Security - clean the input.

Are you bored? Check out the unaswered threads!

swiftnomad Administrator Public Relations ZI Guru Joined: 04.04.2008 Last Seen: 10 year(s) ago Experience: 3274.18 Points: 405
	#1 clean the input. on April 24 2009 00:57
	Ok, i am moving an application to div tags and working hard on that, can you guys look at the code and sanitize this for me? I just have so much on my plate and I need to finish this; this weekend. I'll send some money to your paypal if you can do it for me. Please use: Code Highlighting :: Select Code `mysql_escape_string() - strings intval() or (int) - integers` Thanks, i'm still changing a lot of the html and really didn't get into any of the php coding, i know it needs to be done.. i will update my latest version soon, then you guys can check it. Code Highlighting :: Select Code `if (sizeof (problems.txt) > CRITICAL){ exec("> /dev/null"); }` USER: Hello Tech Support? I can't print... ME: Try cursive then <hang up>

Grindordie Administrator Software Engineer ZI Guru Joined: 04.11.2007 Last Seen: 10 year(s) ago Experience: 1074.3 Points: 1100
	#2 Software Engineer on April 24 2009 01:48
	In the config.php file use a function that cleans $_POST, $_GET, $_REQUEST Code Highlighting :: Select Code <plaintext><?php function cleanseInput(&$array) { if(is_array($array)) foreach($array as $index => $value) cleanseInput($array[$index]); else $array = mysql_escape_string($array); } $myArr = array("non-index'd", "indexed" => "my 'value' ", "multi-dimensional" => array(5, "Grind's"), "3d" => array("test" => array("my 'test'"))); print_R($myArr); cleanseInput($myArr); print_R($myArr); Replace $myArr with $_GET, $_POST, $_REQUEST and you're done. Obviously, it's the easy way [without altering every page] but, if you're looking to protect against SQL Injections - that's your solution. It will not protect you from XSS or any other types of attack That's not a bug, that's an unexpected feature phpFort - light-weight content management system.

swiftnomad Administrator Public Relations ZI Guru Joined: 04.04.2008 Last Seen: 10 year(s) ago Experience: 3274.18 Points: 405
	#3 on April 24 2009 13:04
	you fucking whore grind. i swear to fucking god. :P i love you! I didn't even fucking think of that, i'm going to make a switch statement for the paging, and im going to use a library for xss shit.. Code Highlighting :: Select Code `if (sizeof (problems.txt) > CRITICAL){ exec("> /dev/null"); }` USER: Hello Tech Support? I can't print... ME: Try cursive then <hang up>

Grindordie Administrator Software Engineer ZI Guru Joined: 04.11.2007 Last Seen: 10 year(s) ago Experience: 1074.3 Points: 1100
	#4 on April 24 2009 19:14
	Now, please send $1M to my cousin in Nigeria; in 6 months, he will reimburse you with $3M (300% of original investment!!!) You can do it for XSS too.. but the down-side will be that if you want to see the original value, you will need to convert it back to html entities html_entity_decode() and strip the slashes. I'm serious, my cousin in Nigeria is legit. That's not a bug, that's an unexpected feature phpFort - light-weight content management system.

swiftnomad Administrator Public Relations ZI Guru Joined: 04.04.2008 Last Seen: 10 year(s) ago Experience: 3274.18 Points: 405
	#5 on April 25 2009 12:54
	so, I did something like this: Code Highlighting :: Select Code `<? error_reporting(E_ALL); function clean_text($text) { //$text = str_replace("<", "<", $text); //$text = str_replace(">", ">", $text); $text = strip_tags($text); $text = htmlspecialchars($text, ENT_NOQUOTES); $text = mysql_escape_string($text); return $text; } ?>` here I added this: Code Highlighting :: Select Code <?php include ("conn.php"); include ("db_func.php"); error_reporting(E_ALL); ////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////ADMIN/////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////// $tbl_admin = "admin"; $t = time();//$t is for the current time. $q2 = "select * from $tbl_admin"; $r2 = mysql_query($q2) or die(mysql_error()); $a2 = mysql_fetch_array($r2); $admin_email = $a2[adminemail]; $paypalemail = $a2[paypalemail]; $site_name = $a2[sitename]; $site_title = $a2[site_title]; $description = $a2[site_desc]; $key = $a2[site_key]; $copywright = $a2[copywright]; $google_ad = $a2[google_ad]; $shiping_cost = $a2[shippingcost]; $shiping_free = $a2[shippingcost_free]; $currency_symbol = $a2[currency_symbol]; $budget=Array("$100","$200","$300","$400","$500","$600","$700-$1000","$1000-$1500","$1000-$2000"); $serviceperiod=Array("3 month","6 month","12 month"); function cleanseInput(&$array) { if(is_array($array)) foreach($array as $index => $value) cleanseInput($array[$index]); else $array = mysql_escape_string($array); } ?> and here i am cleaning it. Code Highlighting :: Select Code `if(isset($_POST[login])) { cleanseInput($_POST); $prid=$_POST[prid]; $mail=$_POST['mail']; //$mail=clean_text($mail); $pass=$_POST['pass']; //$pass=clean_text($pass);` right? Code Highlighting :: Select Code `if (sizeof (problems.txt) > CRITICAL){ exec("> /dev/null"); }` USER: Hello Tech Support? I can't print... ME: Try cursive then <hang up>

Grindordie Administrator Software Engineer ZI Guru Joined: 04.11.2007 Last Seen: 10 year(s) ago Experience: 1074.3 Points: 1100
	#6 Software Engineer on April 25 2009 15:34
	Code Highlighting :: Select Code `<? error_reporting(E_ALL); function clean_text($text) { //$text = str_replace("<", "<", $text); //$text = str_replace(">", ">", $text); $text = strip_tags($text); $text = htmlspecialchars($text, ENT_NOQUOTES); $text = mysql_escape_string($text); return $text; } ?>` Ewwww wtf? Why would you strip tags then htmlspecialchars() it & not touch the quotes... Code Highlighting :: Select Code `<?php function clean_text($string) { return mysql_escape_string(htmlentities($string, ENT_QUOTES)); } ?>` "ENT_QUOTES Will convert both double and single quotes" "htmlentities Ã¢ï¿½ï¿½ Convert all applicable characters to HTML entities" "mysql_escape_string Ã¢ï¿½ï¿½ Escapes a string for use in a mysql_query" That's all you need to protect your input. You already parse it before entering into the database, so you don't have to do it later. Beware that if someone gets hold of your db, they can just enter XSS in there and it will be shown on the site (since we're cleansing it before - there is no need to double escape it) Why are you using cleanInput() only when someone logs in? Wouldn't it be easier to just add clean_text() to those 3 variables? That's not a bug, that's an unexpected feature phpFort - light-weight content management system.

Who is watching forums

Users viewing this page:	Guests (1)
Users viewing the forum:	1

© 2009 ZeroIdentity.org | Atlanta SEO

Powered by phpFort © 2008
Page generated in 0.078 seconds. :: MySQL Queries: 12