is this safe?

Monkuar · February 21, 2012

using this below is it safe against hackers?

$post_id = intval($_GET['report']);
if ($post_id < 1)
	message($lang_common['Bad request']);

query:

	$result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error());

should i escape my $topic_id ?

trq · February 21, 2012

You aven't shown us where $topic_id is defined. But yes, *all* user inputed data needs to be escaped before using it in *any* database query.

Monkuar · February 21, 2012

You aven't shown us where $topic_id is defined. But yes, *all* user inputed data needs to be escaped before using it in *any* database query.

srry

$topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0;

Still good?

So I should db all my escapes even if it's already at intval?

kicken · February 21, 2012

Running a value through intval() is good enough, no need to call mysql_real_escape_string on it. As an integer it can only contain digits 0-9, anything invalid would just become 0.

Monkuar · February 21, 2012

Running a value through intval() is good enough, no need to call mysql_real_escape_string on it. As an integer it can only contain digits 0-9, anything invalid would just become 0.

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

premiso · February 21, 2012

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0.

But inval, will allow -24 to pass through, because that is a valid integer.

Monkuar · February 21, 2012

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0.

But inval, will allow -24 to pass through, because that is a valid integer.

Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0...

But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help

premiso · February 21, 2012

Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0...

That is not a negative integer, that is a float / double. I would not recommend converting that to an integer value anyways and you should have other checks in place for that type of logic. Generally, when someone has a question in this regard with converting a value to integer it is for an ID field type or similar, where the only harm that will be done from a negative value is it returns 0 rows. But that is why you code for your application and code in the checks needed as well as escape / filter your data.

EDIT:

Just saw that it was not -24.25 and it was -2425 My mistake there, either or you should have logic in place to verify that is not a negative number if it should not be negative and could adversely affect your application if it is negative.

xyph · February 21, 2012

To force positive numbers you can also use

$topic_id = isset($_GET['tid']) && ctype_digit($_GET['tid']) ? $_GET['tid'] : 0;

This will return 0 if the string contains anything other than a digit, including the hyphen/negative sign

scootstah · February 21, 2012

To force positive numbers you can also use
$topic_id = isset($_GET['tid']) && ctype_digit($_GET['tid']) ? $_GET['tid'] : 0;
This will return 0 if the string contains anything other than a digit, including the hyphen/negative sign

You could also typecast and use abs().

$topic_id = abs((int) $_GET['tid']);

Either way works.

xyph · February 22, 2012

Since $_GET is populated by the client, you should check if the key exists before using it.

Psycho · February 22, 2012

Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0...

But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help

If people are buying things you should not rely upon data submitted by the user to use as the price. you should simply have the user pass the product(s) that they are buying then you would determine the price in the code using the values you set (most likely in the DB). The logic you are wanting to use would not prevent someone from passing a 1 when the cost might be 1000.

xyph · February 22, 2012

If people are buying things you should not rely upon data submitted by the user to use as the price. you should simply have the user pass the product(s) that they are buying then you would determine the price in the code using the values you set (most likely in the DB). The logic you are wanting to use would not prevent someone from passing a 1 when the cost might be 1000.

I think the issue was quantity, and not cost. The person probably used this to have a negative amount credits removed from their account.

Sign In

is this safe?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information