PrivateAlps.net - Offshore Cloud Services | VPS/RDP/VPN - Dedicated Servers - Webhosting - TOR Services - Auto Deploy
ADULTSLAYER.STORE 💎 #1 PORN SHOP | 700+ Hot Products: Brazzers, Teamskeet, Pornhub, NaughtyAmerica, Many More! | 💸 Secure PayPal & Card Payments | Satisfaction Guaranteed! 🔥
Backend Development

Protection of PHP sites - processing of incoming data

Submitted by 0-Day, , Thread ID: 18949

Thread Closed

RE: Protection of PHP sites - processing of incoming data

#11
19-03-2016, 07:44 PM
Sozin Wrote:
02-03-2016, 11:01 PM
ivoivo Wrote: good lesson Smile

How do I filter php code in $_POST?

Do you mean all values? Then:

[pre]
array_walk( $_POST, function( &$value, $key ){
$value = filter_function( $value ); // The filter function can be intval, floatval, or anything.. even a custom function will do.
});
[/pre]

Things to look into after considering the above code:
http://php.net/array_walk
http://php.net/manual/en/functions.anonymous.php

Fuck you, your too good with your shit :D

RE: Protection of PHP sites - processing of incoming data

This post was last modified: 25-03-2016, 12:01 AM by thumper
#12
mysql_real_escape_string is deprecated and as we're moving into PHP 7 it should now be avoided.

I used to use a function like this:

Code:
function sec($value)
{
  return mysql_real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($value):$value)));
}


But since mysqli connections in PHP 5, the function above would require redeclaring the mysqli connection we want to use every time we call the function, so instead we now place our mysql connection into a public class:

Code:
class DB {
public static $con;
}

Then make the connection:

Code:
DB::$con = new mysqli('localhost', 'user', 'passw', 'db');
if(DB::$con->connect_errno) die("Could not connect - " . DB::$con->connect_error);

Then declare our function:
Code:
function sec($value)
{
  return DB::$con->real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($value):$value)));
}

Now every time we handle $_POST or $_GET variables we simply call the function, e.g:
Code:
DB::$con->query("INSERT INTO `mytable` (`name`) VALUES('".sec($_POST['yomama'])."')");

RE: Protection of PHP sites - processing of incoming data

#13
thanks for the tips,,

RE: Protection of PHP sites - processing of incoming data

#14
this coed i have to add it in every page?

RE: Protection of PHP sites - processing of incoming data

#15
thanks for the lesson.. will practice soon

RE: Protection of PHP sites - processing of incoming data

#16
you are just talking about mysql mod haha but what about other db ? :p

RE: Protection of PHP sites - processing of incoming data

#17
Well ... this could work .... but I really suggest anyone reading this to further investigate in security before going Live.

RE: Protection of PHP sites - processing of incoming data

#18
I really like this site! Nice work, staff!
I really like this site! Nice work, staff!

RE: Protection of PHP sites - processing of incoming data

#19
Oh my God, thank you for sharing, I really liked the project.

RE: Protection of PHP sites - processing of incoming data

#20
Thanks for the good advice, some of the other posts also contain some good information Smile

Users browsing this thread: 4 Guest(s)