Protection of PHP sites - processing of incoming data

Legitti · 19-03-2016, 08:15 PM

19-03-2016, 07:44 PM
Sozin Wrote:
02-03-2016, 11:01 PM
ivoivo Wrote: good lesson

How do I filter php code in $_POST?

Do you mean all values? Then:

[pre]
array_walk( $_POST, function( &$value, $key ){
$value = filter_function( $value ); // The filter function can be intval, floatval, or anything.. even a custom function will do.
});
[/pre]

Things to look into after considering the above code:
http://php.net/array_walk
http://php.net/manual/en/functions.anonymous.php

Fuck you, your too good with your shit :D

thumper · 25-03-2016, 12:00 AM

mysql_real_escape_string is deprecated and as we're moving into PHP 7 it should now be avoided.

I used to use a function like this:

Code:
function sec($value)
 {
   return mysql_real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($value):$value)));
 }

But since mysqli connections in PHP 5, the function above would require redeclaring the mysqli connection we want to use every time we call the function, so instead we now place our mysql connection into a public class:

Code:
class DB {
 public static $con;
 }

Then make the connection:

Code:
DB::$con = new mysqli('localhost', 'user', 'passw', 'db');
 if(DB::$con->connect_errno) die("Could not connect - " . DB::$con->connect_error);

Then declare our function:

Code:
function sec($value)
 {
   return DB::$con->real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($value):$value)));
 }

Now every time we handle $_POST or $_GET variables we simply call the function, e.g:

Code:
DB::$con->query("INSERT INTO `mytable` (`name`) VALUES('".sec($_POST['yomama'])."')");

bluecode · 01-02-2017, 07:00 PM

thanks for the tips,,

L2Avellan · 03-02-2017, 04:59 PM

this coed i have to add it in every page?

hardian_n · 19-02-2017, 09:11 AM

thanks for the lesson.. will practice soon

epicout · 04-03-2017, 08:55 AM

you are just talking about mysql mod haha but what about other db ? :p

AbouRass · 23-03-2017, 03:41 AM

Well ... this could work .... but I really suggest anyone reading this to further investigate in security before going Live.

triplei12 · 02-03-2018, 02:24 AM

I really like this site! Nice work, staff!
I really like this site! Nice work, staff!

Villa · 02-03-2018, 10:10 PM

Oh my God, thank you for sharing, I really liked the project.

ademelo88 · 14-04-2018, 12:04 PM

Thanks for the good advice, some of the other posts also contain some good information Smile

Protection of PHP sites - processing of incoming data

Submitted by 0-Day, 01-03-2016, 03:34 PM, Thread ID: 18949

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data

RE: Protection of PHP sites - processing of incoming data