To secure your scripts and to prevent sql injection attacks and js foul codes just add this functions to your core.php
(if get_magic_qoutes already in your core, so dont copy or include it anymore.)
ini_set("display_errors", "0");
if(!get_magic_quotes_gpc())
{
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_GET = array_map('addslashes', $_GET);
$_POST = array_map('addslashes', $_POST);
$_COOKIE = array_map('addslashes', $_COOKIE);
$_GET = array_map('addslashes', $_GET);
$_POST = array_map('addslashes', $_POST);
$_COOKIE = array_map('addslashes', $_COOKIE);
}
function cleanInput($text) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $text);
return $output;
}
function sanitize($text) {
if (is_array($text)) {
foreach($text as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$text = stripslashes($text);
}
$text = cleanInput($text);
$output = mysql_real_escape_string($text);
}
return $output;
}
cleanInput and sanitize functions can prevent it all.To execute the functions in your script just add
sanitize(cleanInput(
in every $_GET and $_POST in your script.
For Instance:
$data = $_GET["data"];
or
$data = $_POST["data"];
now add sanitize and cleanInput functions like this...
$data = sanitize(cleanInput($_GET["data"]));
or
$data = sanitize(cleanInput($_POST["data"]));
if you use cleanInput function in posting message in forums, inbox and shoutbox all javascripts and php snippets will not be posted instead a blank message will be post so much better not to use cleanInput function in the mention above part of script instead use sanitize only.Add this function also in register.php to prevent bypass auto registrations with commands.
To secure your uploader against C9 script shell attacks just create a .htaccess file in the directory where the uploaded files goin to be save and add this global command to your .htaccess file..
php_flag engine off
It will disable all type of php detected uploaded by your visitors no matter what the file extension they uploaded.
It was so very easy mates and i hope that it can help you lot to secure your sites.Dont 4get to hit thanks if you think this post is useful hehehe =
Anyway for those who know how to prevent session stealing/grabbing please post here how. Cause i really need it badly hehehe.
I already secured my site sessions.I use
$tm.$randomsid in login .php base64_encoded instead of $uid.$tm md5 encrypted sessions.
I think this is not enough so please anyone help me to prevent session stealing..
Heres my site that for me almost perfect.
hehehehe, lol....
PS:
Bro riderz if you read this post PM me so i can give you the css gallery script.I have lot of things to ask you mate.
(if get_magic_qoutes already in your core, so dont copy or include it anymore.)
ini_set("display_errors", "0");
if(!get_magic_quotes_gpc())
{
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_GET = array_map('addslashes', $_GET);
$_POST = array_map('addslashes', $_POST);
$_COOKIE = array_map('addslashes', $_COOKIE);
$_GET = array_map('addslashes', $_GET);
$_POST = array_map('addslashes', $_POST);
$_COOKIE = array_map('addslashes', $_COOKIE);
}
function cleanInput($text) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $text);
return $output;
}
function sanitize($text) {
if (is_array($text)) {
foreach($text as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$text = stripslashes($text);
}
$text = cleanInput($text);
$output = mysql_real_escape_string($text);
}
return $output;
}
cleanInput and sanitize functions can prevent it all.To execute the functions in your script just add
sanitize(cleanInput(
in every $_GET and $_POST in your script.
For Instance:
$data = $_GET["data"];
or
$data = $_POST["data"];
now add sanitize and cleanInput functions like this...
$data = sanitize(cleanInput($_GET["data"]));
or
$data = sanitize(cleanInput($_POST["data"]));
if you use cleanInput function in posting message in forums, inbox and shoutbox all javascripts and php snippets will not be posted instead a blank message will be post so much better not to use cleanInput function in the mention above part of script instead use sanitize only.Add this function also in register.php to prevent bypass auto registrations with commands.
To secure your uploader against C9 script shell attacks just create a .htaccess file in the directory where the uploaded files goin to be save and add this global command to your .htaccess file..
php_flag engine off
It will disable all type of php detected uploaded by your visitors no matter what the file extension they uploaded.
It was so very easy mates and i hope that it can help you lot to secure your sites.Dont 4get to hit thanks if you think this post is useful hehehe =
Anyway for those who know how to prevent session stealing/grabbing please post here how. Cause i really need it badly hehehe.
I already secured my site sessions.I use
$tm.$randomsid in login .php base64_encoded instead of $uid.$tm md5 encrypted sessions.
I think this is not enough so please anyone help me to prevent session stealing..
Heres my site that for me almost perfect.
hehehehe, lol....
PS:
Bro riderz if you read this post PM me so i can give you the css gallery script.I have lot of things to ask you mate.
Comment