Jump to content
  • Announcements

    • boen_robot

      Guidelines and Netiquette   03/28/2017

      Posting Problems:   Having problems posting your topic? Read through this: To join, you agree to our terms and conditions and fill out and submit a registration form. An activation email will be sent to your email adress, so you'll need to verify your account. After that the account has to be validated by one of the moderators. This will mean that it can take up to a day to be activated. A couple of things to remember to ensure approval: Don't use an email address in one of those $2 four character .com domains eg. xyds.com. These will be deleted and the domain added to the banned list. Don't use an email address that is within a domain with a bad reputation for spam. A Google search is run on every email address and email domain. Don't sign up with an email address that doesn't exist, doesn't work or requires the sender to answer a quiz before their email can get to you. Put your country and or state and city in the signup form. Blank forms will go to the botton of the "to do" list. And make sure that your email address and your country match, saying you're from Alabama and using a .ru email address is not going to get you activated. After a membership is activated the first few posts will be monitored. Posting spam or unapproved topics described in the agreement results in an immediate ban. The email provider and the IP addresses associated with the account will be banned and all posts will be deleted. These strict measures have been deemed necessary to hinder spam. Sorry for any inconvenience this causes, but it's not liable to change. If, after reading this, you still can't post and don't understand why, contact one of the Moderators listed here.   Topic Guidelines   Including the following information can expedite an accurate response from board members: Must be a Specific Problem or Question related to web design and development Include Code in Question (wrap with   for small blocks of code and for longer blocks   ) Include Code Author Include Extra Notes/Modifications/Attempts Include web link to page/file when possible Content Guidelines   You may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes: No direct or indirect advertising or websites, forums, products, services No hijacking of posts (do not post your question in someone elses) Content that infringes upon any rights [ex. MP3s and ROMs] (including, but not limited to, copyrights and trademarks) Abusive, threatening, defamatory, racist, or obscene Viruses or any other harmful computer software False Information or libel Spam, chain letters, or Pyramid schemes Gambling or Illicit drugs Terrorism Hacking or cheating for internet/online games Warez, Roms, CD-Keys, Cracks, Passwords, or Serial Numbers Pornography, nudity, or sexual material of any kind Excessive profanity Invasive of privacy or impersonation of any person/entity Hacking materials or information Posting Tips   There are more BBcodes than there are buttons for on the reply menu. To get the full list, click "BB Code Help" underneath the clickable smilie face menu. Use   for small snippets of code Use   for lengthy snippets of code Use   if your snippet is HTML (optional) Use   if your snippet is SQL (optional) Rules of Conduct   Be nice. There's no need for calling someone stupid if they ask an 'easy' question. Keep your avatars and signatures absolutely child friendly. We have a younger audience on this forum. Keep your language appropriate for the same reason above. Do not PM moderators for help on the forum. Post on the topic, or create a new one.   Spam:   Recently, as you have all without doubt noticed, we have had lots of spam and advertisement on the forum. Therefore, we'd like to alert you as to what to do when you have found any of the aforementioned annoying messages: it. Immediately. Give a clear reason, please, if the advertising is not evident. DO NOT POST! Report, let the post stay as is, and we will get to it, meanwhile if you continue to post as normal in the other threads, it won't be on the top so long. Refrain from PMing the member. This won't help at all, as they are most likely spambots anyway. Thank you.       Images in signatures:   After thinking of users on dial-up, we have decided to enforce the following rules regarding signatures. Please pay heed to them. Respecting these rules is respecting the members on this forum with dial-up. Signature rules: No animated images AT ALL. No matter the amount of animation. Maximum image widthxheight: 300x150 Maximum image (file) size: 15kb Use calm colors. Do not use highly contrasting images in your signature, as this can get really annoying when seeing several posts from one member in the same thread. The same prohibited content goes for images as for posts. Lastly, use common sense. No lengthy signatures please. Save us some scrolling. Thank you.       Links in signatures:   Please understand that w3schools.com only exists because of voluntary work and is barely supported by the advertising littered throughout the tutorials and the forum. So, please, stop advertising other sites. DO not post links that drive traffic away from the w3schools domain - especially to a site that offers similar if not identical information. Please help support the site by keeping individuals on it. Thank you. Here are some guidelines as to what you can put in your signature: w3schools links --> allowed w3.org links --> allowed browser links --> allowed html editor links --> allowed personal sites --> allowed tutorial sites competing with w3schools --> NOT allowed sites completely irrelevant to webprogramming and this forum --> NOT allowed   Thanks for understanding, and for taking the time to read this. ~W3Schools Modstaff~
phpnoob

Security for post

Recommended Posts

I was made a post secure for my forum, and now i have time to finish it, but i'm stock and need help.

$post=htmlspecialchars($_POST['post']);$search=array('<?','?>');$replace=array('<?', '?>');echo str_replace($search, $replace, $post);

The problem, if i send a " the code add this \\" <----

  • Like 1

Share this post


Link to post
Share on other sites

It sounds like your server has the magic quotes option enabled. There's no reason to have that option enabled, I don't know why so many servers have it on. Check the top answer here for some code which will remove magic quotes. Just keep in mind it's your responsibility to protect against SQL injection attacks. http://stackoverflow.com/questions/2133026/php-how-to-correctly-remove-escaped-quotes-in-arrays-when-magic-quotes-are-on

Share this post


Link to post
Share on other sites
It sounds like your server has the magic quotes option enabled. There's no reason to have that option enabled, I don't know why so many servers have it on. Check the top answer here for some code which will remove magic quotes. Just keep in mind it's your responsibility to protect against SQL injection attacks. http://stackoverflow...c-quotes-are-on
just wondering, this code enough? or can i remove something?edit:nvm i understand now what you talk :), ok i try your code Edited by phpnoob

Share this post


Link to post
Share on other sites

i try to add that code, but i have an errorWarning: Invalid argument supplied for foreach() ini was add this code

function unMagicQuotify($ar) {  $fixed = array();  foreach ($ar as $key=>$val) {    if (is_array($val)) {	  $fixed[stripslashes($key)] = unMagicQuotify($val);    } else {	  $fixed[stripslashes($key)] = stripslashes($val);    }  }  return $fixed;}$process = array($_GET,$_POST,$_COOKIE,$_REQUEST);$fixed = array();foreach ($process as $index=>$glob) {  $fixed[$index] = unMagicQuotify($glob);}list($_GET,$_POST,$_COOKIE,$_REQUEST) = $fixed;

the error target this pieceforeach ($ar as $key=>$val)

Share this post


Link to post
Share on other sites

Add this and post what it shows:

echo '<pre>', print_r($_GET, true), print_r($_POST, true), print_r($_COOKIE, true), print_r($_REQUEST, true), '</pre>';

Share this post


Link to post
Share on other sites
Add this and post what it shows:
echo '<pre>', print_r($_GET, true), print_r($_POST, true), print_r($_COOKIE, true), print_r($_REQUEST, true), '</pre>';

it have some code that i dont want to post here, but i can say it have a 32 long code :)Array( [f] => topicview [p] => 3)Array()Array( [CookieID] => SECRET [phpSESSID] => SECRET)Array( [f] => topicview [p] => 3 [CookieID] => SECRET [phpSESSID] => SECRET) btw in the bottom of the error, it was write arraynot what i post in textarea Edited by phpnoob

Share this post


Link to post
Share on other sites
I don't see why it would give the warning you showed, there are obviously 4 arrays there.
maybe i put that code in a wrong place? Plz wait, i try something Editit have a main.php, and i include topicview.php
if ($getpage=='forumview'){include "forum/forumview.php"; echo forumview();echo last($start_time);}

all fourview code i was put it in function and i was add your code in fuction, so it have 2 function, maybe i need to add something to the first function?

Edited by phpnoob

Share this post


Link to post
Share on other sites

not works :(

<?php function topicview(){function unMagicQuotify($ar) {  $fixed = array();  foreach ($ar as $key=>$val) {    if (is_array($val)) {	  $fixed[stripslashes($key)] = unMagicQuotify($val);    } else {	  $fixed[stripslashes($key)] = stripslashes($val);    }  }  return $fixed;}<form action="'.$_SERVER[REQUEST_URI].'" method="post" name="postform"><textarea name="post" rows="15" cols="80"></textarea></div>	  <p /><input type="submit" name="submit" value="Go" /></form>if(!empty($_POST['submit']))	  {	   if (!empty($_POST['post']))	   {			    $post=htmlspecialchars($_POST['post']);$search=array('<?','?>');$replace=array('<?', '?>'); $cleanedpost=str_replace($search, $replace, $post);	    $process = array($cleanedpost);$fixed = array();foreach ($process as $index=>$glob) {$fixed[$index] = unMagicQuotify($glob);} list($cleanedpost) = $fixed;echo $fixed;	   }}

full edited codeerrorWarning: Invalid argument supplied for foreach()and in the bottom it say Array in echo $fixed;

Share this post


Link to post
Share on other sites

Don't change the code from the post, don't move the lines around or add your own code in unless you know what you're doing. And also don't put that code inside a function. The code should run before other code on your page that is going to use anything from $_GET, $_POST, or $_COOKIE. That code removes slashes from the form input. After it finishes then you just use the form input like normal and it won't have the extra slashes.

and in the bottom it say Array in echo $fixed;
Yes, that's what it says when you print an array.

Share this post


Link to post
Share on other sites
Don't change the code from the post, don't move the lines around or add your own code in unless you know what you're doing. And also don't put that code inside a function. The code should run before other code on your page that is going to use anything from $_GET, $_POST, or $_COOKIE. That code removes slashes from the form input. After it finishes then you just use the form input like normal and it won't have the extra slashes. Yes, that's what it says when you print an array.
Don't change the code from the post, don't move the lines around or add your own code in unless you know what you're doing. And also don't put that code inside a function. The code should run before other code on your page that is going to use anything from $_GET, $_POST, or $_COOKIE. That code removes slashes from the form input. After it finishes then you just use the form input like normal and it won't have the extra slashes. Yes, that's what it says when you print an array.
then where?Config.php
<?php mysql_connect("","","")or die("Error connection");mysql_select_db("")or die();include "include/check.php"; echo check();include "include/login.php"; include "main.php";include "online.php";$start_time = microtime(true);include "page.php";include "pregreplace.php";?>

all php

<?php session_start();include "config.php";$getpage=empty($_GET['listen']) ? header("Location: index.php?listen=news") : mysql_real_escape_string($_GET['listen']); echo onlineindex();if ($getpage=='news'){include "include/news.php";echo news();echo end($start_time);}?>

where can i put that code and what need to do?

Edited by phpnoob

Share this post


Link to post
Share on other sites

You need to put the code before any other code that is going to use $_GET, $_POST, $_COOKIE, or $_REQUEST. That code removes slashes from the values in those arrays. So if you're going to use any values from those arrays, and you want the slashes removed, then that code needs to run before the code that gets the values from the arrays. Don't modify the code, just add it to one of your include files so that it runs before any code that uses one of the arrays and then the values in the arrays won't have slashes. You don't do anything with $fixed or any of the other variables in the code.

Share this post


Link to post
Share on other sites
You need to put the code before any other code that is going to use $_GET, $_POST, $_COOKIE, or $_REQUEST. That code removes slashes from the values in those arrays. So if you're going to use any values from those arrays, and you want the slashes removed, then that code needs to run before the code that gets the values from the arrays. Don't modify the code, just add it to one of your include files so that it runs before any code that uses one of the arrays and then the values in the arrays won't have slashes. You don't do anything with $fixed or any of the other variables in the code.
i figure it out, i was put it in config.php, and before include check.php, thx for helping :)

Share this post


Link to post
Share on other sites

1 more question Can i remove the first code in post protection?

$post=htmlspecialchars($_POST['post']);$search=array('<?','?>');$replace=array('<?', '?>');echo str_replace($search, $replace, $post);

the htmlspecialchars i was mean

Share this post


Link to post
Share on other sites
Look at what the function does and decide if you need it: http://www.php.net/m...pecialchars.php
i was read that page in 1 year ago, and now again, and now i modified the code, is this enough? and can hack it?htmlspecialchars($post, ENT_QUOTES)i want to protect the most knowed hack tactic, is my code enough for that? like xss Edited by phpnoob

Share this post


Link to post
Share on other sites
i was read that page in 1 year ago, and now again, and now i modified the code, is this enough? and can hack it?
The point justsomeguy is trying to get at is that there's no universal "enough" way to deal with input.It depends on what you're about to do with the given input.If you're about to write it as part of HTML output, htmlspecialchars() is enough to turn the input into plain text, and thus protext your users from XSS attacks.If you're about to insert this into a database, that's not enough at all, and in fact, should not be used to begin with. You must use something like mysqli_real_escape_string() instead of htmlspecialchars().

Share this post


Link to post
Share on other sites
The point justsomeguy is trying to get at is that there's no universal "enough" way to deal with input. It depends on what you're about to do with the given input. If you're about to write it as part of HTML output, htmlspecialchars() is enough to turn the input into plain text, and thus protext your users from XSS attacks. If you're about to insert this into a database, that's not enough at all, and in fact, should not be used to begin with. You must use something like mysqli_real_escape_string() instead of htmlspecialchars().
forum posting secure, and mysql database Edited by phpnoob

Share this post


Link to post
Share on other sites

?You didn't catch a word of what I said, did you?

Share this post


Link to post
Share on other sites
?You didn't catch a word of what I said, did you?
i was read it, but a little bit confused, that why i post that.
If you're about to write it as part of HTML output, htmlspecialchars() is enough to turn the input into plain text, and thus protext your users from XSS attacks.
this one i cant understand, the thread name "Security for post" only 1 section i can post, in forum ;) EditBut ok i add mysqli_real_escape_string Edited by phpnoob

Share this post


Link to post
Share on other sites

The point is you shouldn't be adding stuff.You're approaching the problem with the idea that you have "hackable data"™, with which you do something, and it becomes "unhackable data"™. Things don't work that way.Instead, you have "data safe for X, damaging the intended content in Y, unsafe for Z". No matter how many functions you pass over a piece of data, you always have X, Y and Z in there. The only difference is what X, Y and Z actually are.When you apply mysqli_real_escape_string(), you're making your data "safe for a string in MySQLi, damaging the intended content for almost anything else (including HTML), unsafe for a file path (and perhaps a few other things)".Similarly, when you apply htmlspecialchars(), you're making your data "safe for (X)HTML text, damaging the intended content for almost anything else (including a MySQLi string), unsafe for a URL (and perhaps a few other things)".So... to protect yourself from an SQL injection, you "use mysqli_real_escape_string() when the data is about to become a string in a MySQL query". At that moment (ONLY at that moment), the fact that the result of mysqli_real_escape_string() is unsecured or damaging in other contexts is irrelevant, because the context of an SQL query is the only one you need to care about at that moment.To protect yourself from an XSS attack, you "use htmlspecialchars() when the data is about to be written as a plain text within an HTML document". And again, ONLY at that moment.

Share this post


Link to post
Share on other sites
The point is you shouldn't be adding stuff. You're approaching the problem with the idea that you have "hackable data", with which you do something, and it becomes "unhackable data". Things don't work that way. Instead, you have "data safe for X, damaging the intended content in Y, unsafe for Z". No matter how many functions you pass over a piece of data, you always have X, Y and Z in there. The only difference is what X, Y and Z actually are. When you apply mysqli_real_escape_string(), you're making your data "safe for a string in MySQLi, damaging the intended content for almost anything else (including HTML), unsafe for a file path (and perhaps a few other things)". Similarly, when you apply htmlspecialchars(), you're making your data "safe for (X)HTML text, damaging the intended content for almost anything else (including a MySQLi string), unsafe for a URL (and perhaps a few other things)". So... to protect yourself from an SQL injection, you "use mysqli_real_escape_string() when the data is about to become a string in a MySQL query". At that moment (ONLY at that moment), the fact that the result of mysqli_real_escape_string() is unsecured or damaging in other contexts is irrelevant, because the context of an SQL query is the only one you need to care about at that moment. To protect yourself from an XSS attack, you "use htmlspecialchars() when the data is about to be written as a plain text within an HTML document". And again, ONLY at that moment.
i get what you mean by momment :)and if i make both string at once? or do those code 2 time?

Share this post


Link to post
Share on other sites

Your script never does these two things at once. It only does one after the other.e.g.

<?php$mysqli = new mysqli(...);$username = $_POST['username'];$mysqli->query("SELECT * FROM `users` WHERE `username`='" .//At this moment, we're about to create a string that is part of a MySQLi query.//Time to do mysqli_real_escape_string() over the input (in this case $username)$mysqli->real_escape_string($username) ."'"//MySQLi string just ended. We don't want the input containing anything MySQLi related any more,//and because we never rewrote $username, that's exactly what's happening.);echo '<div>Hello ',//We're about to write something as part of the HTML output.//We want this to be plain text, so it's time to use htmlspecialchars().//Because we're still working with the original data (not the one mysqli_real_escape_string() produced),//this will work equally well, regardless of what $_POST['username'] contains.htmlspecialchars($username),'</div>';

vs

<?php$mysqli = new mysqli(...);//Contraty to what you might think, your script is still doing one thing after the other://First htmlspecialchars(), and then mysqli_real_escape_string() operates over that.$username = $mysqli->real_escape_string(htmlspecialchars($_POST['username']));$mysqli->query("SELECT * FROM `users` WHERE `username`='" .//No SQL injection, because mysqli_real_escape_string was the outer most function we applied.//However, if $_POST['username'] contains any quotes, "<", ">", or "&",//you'll notice your DB is now storing something different from the other example.$username ."'");echo '<div>Hello ',//We're about to write something as part of the HTML output.//You may think you're safe because of htmlspecialchars(). Strictly speaking, in this particular case,//that's true, BUT if $_POST['username'] contains any apostrophes, you'll see them prepended with a slash.$username,'</div>';

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×