Ninjakreborn

I have a function I have been using to clean variables for quite a while now. <?php function deepclean($varinfo) { $varinfo = strip_tags($varinfo); $varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES); $varinfo = htmlentities($varinfo); $varinfo = mysql_real_escape_string($varinfo); return $varinfo; // Added this line } ?> I am even currently starting to modify it in my spare time to accept arrays and do the same thing with arrays. My new version even has another variable to say whether or not to use addslashes or not. I have been rewriting the whole function on the side, so I can start using it after it's tested. I thought this was a good function, however I addeded it in a security include into a page (the function), then I tried cleaning a bunch of variables. The login structure I cleaned stopped working, I had to take them out. The script was. <?php session_start(); if(isset($_POST['userid'])) $userid= $_POST['userid']; else $userid= $_GET['userid']; if(isset($_POST['user'])) $user= $_POST['user']; else $user= $_GET['user']; if(isset($_POST['pass'])) $pass= $_POST['pass']; else $pass=$_GET['pass']; if(isset($_POST['redirect'])) $redirect= $_POST['redirect']; else $redirect= $_GET['redirect']; if(isset($_POST['remember'])) $remember=$_POST['remember']; else $remember= $_GET['remember']; include($_SERVER['game_config']); if ((!$user && !$userid) || !$pass) { include("login-header.php"); print "Please fill out all fields."; include("login-footer.php"); exit; } $pass=md5($pass); if(is_numeric($userid)) $logresq=mysql_query("select `id`,`user`,`pass`, `daylogins`, `donator`, `choice` from players where id='$userid' and pass='$pass'"); else $logresq=mysql_query("select `id`,`user`,`pass`, `daylogins`, `donator`, `choice` from players where user='$user' and pass='$pass'"); $logres = mysql_num_rows($logresq); echo mysql_error(); $logresa=mysql_fetch_array($logresq); if ($logres <= 0) { include("login-header.php"); print "Login failed. If you have not already, please signup. Otherwise, check your spelling and login again.<br><br><a href=loginbyid.php>Click here if you know your ID, but not your username.</a>"; include ("login-footer.php"); exit; } else { $ctime=time(); mysql_query("UPDATE players SET logins=logins+1, daylogins=daylogins+1, lastlogout = lpv, readtopics = '' WHERE id = $logresa[id]"); if($remember == 1){ //Remember Me!!! setcookie("cw_uid",$logresa['id'],mktime(date("H"), date("i"), date("s"), date("m"), date("d"), date("Y")+1),"/",$_SERVER['game_cookie_domain']); setcookie("cw_pw",$pass,mktime(date("H"), date("i"), date("s"), date("m"), date("d"), date("Y")+1),"/",$_SERVER['game_cookie_domain']); } $userid=$logresa[id]; session_register("userid"); session_register("pass"); if(isset($redirect)) header("Location: $redirect"); elseif($logresa['choice'] == "") header("Location: chooseside.php"); elseif($logresa['donator'] == 0 && $logresa['daylogins'] == 0) header("Location: intro.php"); else header("Location: intro.php"); } ?> So the actual point is, for some reason when I run (deepclean) on all the variables, the login goes to a blank white page (no errors) and just doesn't login. When I stop cleaning the variables they work fine. That is what I don't understand, is it something I didn't notice with my system, or is it something instead to do with the login script. Thanks for any feedback, thanks.

perfect, thanks. SOLVED

They are specific identifiers. It labels it as "variable". Basically atleast. They aren't generally required but in some circumstances as this they are.

He probably meant excited, not exciting. It sounds like it was just a typo.

SOLVED

I found it. There was something I had never seen before called rules="something" and I took that out and they disappeared. Thanks.

I simple worked up some table information in a pre-built site (the client had already created everything). It's tabular data so I of-course put it in tables (the financial information section. Can someone let me know how to remove those borders. I ahve been pouring through the css for hours. It has been very annoying, NOTHING in the css is causing this, I don't understand. In ie, the bottom borders aren't there, in firefox it is, and he wants them removed. What I don't understand is WHy I disabled all css with a firefox plugin, and they are still there so it's "not"s omething specifically related to css. Does someone know what might be causing this? http://www.fbtest1.com/financialinfo.php Thanks.

I have been looking around through google translator. How do I find the translator for the actual site. I see all there translation services, however I have seen sites with a link that translates stuff (using google) right from the site itself?

The code you gave me is amazing. THis is something I Fought with on another project that took me about 2 weeks and still didn't finish. I was wondering,w hat about this code makes it work for any situation. Can you reput the code (anyone) and comment it as best you can to help me fully understand the code, so I can understand it and study it some? Thanks again for the help.

Yes, but once a substantial amount of layouts are created, they can be re-created for other purposes. If you take 1 day to build a 3 column layout with header/footer. keep a blank copy (no content), and replicate it and modify it for other projects. Most of the time the fancy workarounds aren't needed, and once you learn a technique you know it for life.

Hmm, thanks a lot for finding that. I just happened to come back and check this post. I will go ahead and relay the message to him, I am having him call me, I will explain how and why that is an issue. Get him to set some stuff in place to fix it. Thank you for the feedback.

Ok, that should be everything I need thanks. SOLVED

What options are available to write url's. After finally looking up mod_rewrite, it's not something you can do with PHP. It is something done in apache, something like codeignitor does it on all systems, and I am unaware of how they do it, I can't find anything about it. I also know htaccess is another option, but not all server's support or allow htaccess file's so that is another thing that won't work. Is there a way using just php to rewrite all incoming url's and make them segment based?

Perfect, thanks for the help. Solved

I have seen a good number of programs (3rd party software) that has a folder called Cron. I was wondering if cron jobs can be executed without the use of a server (meaning can php handle cron jobs all by itself, and make them run).

It won't let me mark my own as solved.

Thank you for the advice. based on all the advice I have recieved here, and thanks to all the inspiriation I was able to create a pretty good list. I am pretty sure this will greatly limit the vunerabilities that exist on the site. If some admin, could be so kind as to just eliminate that url that is listed in this above. I want to remove all entries to the site, I just wanted it up there temporarily to get some help. Again thank you all for the wonderful advice. I think I have enough to get this as secured as I can. SOLVED

Ah ok. Thanks for the tip's. that might help me in the future from having to ask as much. Thanks again. SOLVED

So should this be the time when I pick up where I left off with Mcrypt. i was trying to understand the keys awhile back, is this going to be the situation where I need to start using it again. Or is there something lighter I can trust more for a site that is going to have someone tryign there hardest to hack it. He has already gotten pretty drastic with it at this point. I am sure he would do anything to try and get access to anything on the site he wasn't suppose to, so the utmost security has to be set in place. I am preparing a list of things that need to be done and presenting them to the client. This is a list of what I have, from here I am going to expand on the list and present it. Hopefully this will be everything almost.

Yes, they are encrypted through md5 However I did notice when you sign up it sends you an email with the password in plain text, should this be taken out?

Ok, I turned off directory access. I am going to follow all advice on here and heavily work on securing that login. 1. Making accounts validate the email 2. Building login captcha 3. Do the recording/restrictions that were altered here 4. Clean variables (critical areas, it's a huge site) Hopefully once these issues are spoken out, and fixed, this will remove the hacking. He has also mentioned about shutting the site down, so I hope he doesn't have high level access I was not aware of.

Perfect, both of those will be fixed. However there is one thing happened that is causing this. THere is one user that has gotten into the site. One user that got into the site, that caused a problem He has been getting into other people's accounts and transferring money from there account to his. Based on what the admin says he has gotten into a total of 8 accounts so far. He will continue unless I figure out what he is putting in there.

Thanks for the advice. However I have not asked many questions, at most I am limiting it to 2 questions open at any one time. I also have made sure I mark each one, as answered and set them to solved. I have been doing so, based off the advice from other's. thanks for all the advice however, based on teh suggestions I have an idea, thanks. SOLVED

Ok, any more really hard tests would be appreciated. I understand the issue with variables (sitewide) not being cleaned, and I intend to fix that, but there are a lot of variables and a lot of celaning to do. Most of them are passed straight into queries. If anyone else want's to do what they can, it's appreciated. I told him there would be multiple testers going through the site, trying to find security issues, so anything that anyone can uncover wuold help a lot. Thanks so far.

I actually have 2 suggestions I would like to offer. They may have been discussed before but I didn't seea ny occurences of these 2) 1. I think that the topic solved mod is a great idea. It really does help to let people know when the answer has been given, and you are done with that post. I really think it should also be in the misc as well, a lot of people ask questions in misc, and I for one would always marked solve if it was a question related one. 2. In the freelance forum I wish we could have the edit limit removed. Because there might be time's when people want to edit there original list, for instance there first post has there portfolio links or something, then if they are able to edit it, they could just re-edit it, or something else, instead of having to delete it, because ones that have been there longer have been viewed longer. A posting there with 650+ views, having to start back at 0 could probably bother someone. Just some ideas (thanks)