2Likes
LinkBack URL
About LinkBacks
Reply With QuoteCan you be just a little more specific about the question bro?
About website security Hi guys!(This is not any tut,I'm actually asking for help &/or to make myself correct! :D)
As we all know about the php malicious input filtering functions like mysql_real_escape_string, strip_slashes, strip_tags, htmlentities, etc.
Lets take mysql_real_escape_string
$input = "'OR 1=1'";
$safe_input = mysql_real_escape_string($input);
So it turns .......
\'OR 1=1\'
But the malformed query is actually being processed after filtering,which is a wastage of resource & opening door to say "Yeah,come show your hacking skills!".
So why not detect such malicious inputs from an user before starting the actual program flow?
Lets bring a very simple function in to play.
PHP Code:function kickass($str)
{
$str = str_ireplace("<script>","", $str, $i);
$str = str_ireplace("</script>","", $str, $j);
$str = str_ireplace("'", "", $str, $k);
$str = str_ireplace('"', '', $str, $l);
$str = str_irelace(";", "", $str, $m);
////////////Add more in the list or lets make a easy function wid preg_match
return $i+$j+$k+$l+$m;
}
Mysqli & PDO are fine,But pls correct me in here,thanks in advance..PHP Code:
if(kickass($_POST['username'] + kickass($_POST['password']) > 0)
{
/*inputs are unsafe,
Give a warning message or just redirect him back to the login page
*/
}
else
{
//Start the actual program flow wid safe inputs
////mysql_connect,mysql query etc
}
I need some facebook likes, can you please help me
[Only registered and activated users can see links. Click Here To Register...]
I noticed social media is really powerful
Well DONE is better than well SAID
Can you be just a little more specific about the question bro?
<!DOCTYPE html PUBLIC "-//WAPFORUM.RS
Bro,I mean to say dat,Will there be still any security flaws if I'm starting the program flow only wid safe inputs,assuming that the malicious inputs were filtered by the function
For secure input there is no use of that.This step should not be avoided in any case:
For passwords doesn't matter because its usually hashed, for user name should be filtered for example like this:PHP Code:$input = mysql_real_escape_string(stripslashes($input));
Filtering regular messages and posts by striping tags no point, posters needs those, and attack always can be encoded. ;)PHP Code:function match($input) {
if (preg_match('/^[\w\s]+$/iD', $input)) {
return true;
} else {
return false;
}
}
<!DOCTYPE html PUBLIC "-//WAPFORUM.RS
lol,of course bro,mysql_real_escape_string is must,I kno dat but I don't think it'd be a bad idea to predict the inputs b4 querying mysql for a hacker :p & thanks so much for all your guidelines
You are welcome. But there is no point predicting anything except wildcards and quantifiers. ;)
<!DOCTYPE html PUBLIC "-//WAPFORUM.RS
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Bookmarks