About website security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    About website security

    Hi guys!(This is not any tut,I'm actually asking for help &/or to make myself correct! :D)
    As we all know about the php malicious input filtering functions like mysql_real_escape_string, strip_slashes, strip_tags, htmlentities, etc.
    Lets take mysql_real_escape_string

    $input = "'OR 1=1'";
    $safe_input = mysql_real_escape_string($input);
    So it turns .......
    \'OR 1=1\'
    But the malformed query is actually being processed after filtering,which is a wastage of resource & opening door to say "Yeah,come show your hacking skills!".
    So why not detect such malicious inputs from an user before starting the actual program flow?
    Lets bring a very simple function in to play.

    PHP Code:
    function kickass($str)
    {
    $str str_ireplace("<script>",""$str$i);
    $str str_ireplace("</script>",""$str$j);
    $str str_ireplace("'"""$str$k);
    $str str_ireplace('"'''$str$l);
    $str str_irelace(";"""$str$m);
    ////////////Add more in the list or lets make a easy function wid preg_match
    return $i+$j+$k+$l+$m;

    PHP Code:

    if(kickass($_POST['username'] + kickass($_POST['password']) > 0)
    {
    /*inputs are unsafe,
    Give a warning message or just redirect him back to the login page
    */
    }
    else
    {
    //Start the actual program flow wid safe inputs

    ////mysql_connect,mysql query etc

    Mysqli & PDO are fine,But pls correct me in here,thanks in advance..
    I need some facebook likes, can you please help me
    http://facebook.com/softwarefreakin
    I noticed social media is really powerful
    Well DONE is better than well SAID

    #2
    Can you be just a little more specific about the question bro?
    <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

    Comment


      #3
      Bro,I mean to say dat,Will there be still any security flaws if I'm starting the program flow only wid safe inputs,assuming that the malicious inputs were filtered by the function
      I need some facebook likes, can you please help me
      http://facebook.com/softwarefreakin
      I noticed social media is really powerful
      Well DONE is better than well SAID

      Comment


        #4
        For secure input there is no use of that. This step should not be avoided in any case:

        PHP Code:
        $input mysql_real_escape_string(stripslashes($input)); 
        For passwords doesn't matter because its usually hashed, for user name should be filtered for example like this:

        PHP Code:
        function match($input) {
        if (
        preg_match('/^[\w\s]+$/iD'$input)) {
            return 
        true;
        } else {
            return 
        false;
        }

        Filtering regular messages and posts by striping tags no point, posters needs those, and attack always can be encoded. ;)
        <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

        Comment


          #5
          lol,of course bro,mysql_real_escape_string is must,I kno dat but I don't think it'd be a bad idea to predict the inputs b4 querying mysql for a hacker :p & thanks so much for all your guidelines
          I need some facebook likes, can you please help me
          http://facebook.com/softwarefreakin
          I noticed social media is really powerful
          Well DONE is better than well SAID

          Comment


            #6
            You are welcome. But there is no point predicting anything except wildcards and quantifiers. ;)
            <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

            Comment

            Working...
            X