Monkuar

Well everything seems to work now maniac. Here is everthing. I use the $message = parse_message($message, $errors); Then when it enters into my database: I use $db->escape($message) $db escape is just a mysql escape string return function. Then when I view the message, I dont use any parser to read it, I let html read it, because it's already been converted into html. It's not letting me submit <b>hey</b> or html tags though! so that's good! (no hackers) Here is the full parser: http://pastebin.com/DSKzHGLm the prob was I was calling the parser on $message before it entered the database twice, which was making it do weird thing. What I just explained above, is working now, html is not working and bbcode's are. I have unconvert functions though so people can edit, but will work on that later

Well because I dont want people to spam smiley images on my message board and eat up bandwidth so I only make it so people can use 7 of each smiley, all I do is wrap $db->escape(parse_message($message)) before it enters into my database, should I use the html entities thing before that? then use parse?

does function pun_htmlspecialchars($str) { return htmlspecialchars($str, ENT_QUOTES, 'UTF-8'); } This is my code: http://pastebin.com/m0gmXAfQ see my $text = pun_htmlspecialchars($text); right under global? i am calling it before?

I added $text = pun_htmlspecialchars($text); above the restof the code scoots, but it now just shows <b>hey</b> instead of actually formatting it into a bolded "b"?

Everything works fine, unless I add this stupid thing to get rid of people using HTML $text = pun_htmlspecialchars($text); Once I add that to my function, no bbcodes work at all? But I cant use html.. (which is good) but I need to beable to use BBCODE, and parse hackers from using html also, any help? MY CODE absolutely destroyed the forum page here it is: http://pastebin.com/jv7m47kn

Thank you, looking good now, i added more functions for if the user has less gold then trying to enter -> error out/etc ty

//Security $_POST['amount'] = floatval($_POST['amount']); if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } if ($pun_user['gold'] < $_POST['amount'] ){ message('You do not have enough Gold'); } if ($_POST['amount'] < 0){ message($lang_common['Bad request']); } Looking good now?

okay good, i just dont want to get sql injection hacked again so I am trying everything possible.... i will even be escaping my int's just because im sick of hackers

you sir have won the internet, congrats

$_POST['amount'] = intval($_POST['amount']); if ($_POST['amount'] < 0){ message($lang_common['Bad request']); } if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } echo $pun_user['gold']; echo '<br>'; echo $_POST['amount']; exit; if I enter 0.05 in my gold input textbox and submit it, it reads 0, it doesn't read the decimal values, i need it to read them, but I also need it to be secure and use intval.. help

I need to secure my code more $_POST['amount'] = intval($_POST['amount']); if ($_POST['amount'] <= 0){ message($lang_common['Bad request']); } if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } $_POST['amount'] will be the amount of gold people will beable to send to each other. any sql injections vulnerability right now? if so, help i casted my intval and is_numeric on it any other ways to secure it with php functions as of right now it can only be numeric right?

ok epic! thanks so much sorry i had to get u guys to explain it to me, i am just trying to figure out this injection stuff, sick of people injecting code on my forum it's pissing me off Thanks :topic re-solved

okay, so then the above would b e more secure if i did: $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; if (!intval($stick_topic)){ echo "stop hacking"; exit; } casting it as a intval only would be hack safe? should I add if ($stick_topic < 1 ){ echo "hacker trying to do negative on me now?"; exit; } make it even more secure eh? okay scootsah's so always make sure i cast integer's before input and then db escape them just to be on safe side? i really just dont want to get hacked again im escaping everything

Cast meaning as this variable will be only 1 or 0, so it's impossible to inject? if so topic solved ty

$stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1

O, RLY? http://en.wikipedia.org/wiki/APNG http://people.mozilla.com/~dolske/apng/demo.html i dont use crappy opera or firefox, so i never knew pretty cool tho thanks for sharing They are pretty worthless if the top major browsers in the world don't support them though.

.png cannot be animated images

What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0. But inval, will allow -24 to pass through, because that is a valid integer. Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0... But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

srry $topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0; Still good? So I should db all my escapes even if it's already at intval?

using this below is it safe against hackers? $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ?

function convert_youtube($code,$code1) { $youtube_count++; return '<embed src="http://'.$code.'youtube.com/v/'.$code1.'" type="application/x-shockwave-flash" wmode="transparent" width="512" height="313" allowfullscreen="true" />'; } echo $youtube_count; im trying to echo it out, i have like 5 flash videos on the bbcode parser: $RegEx = '%(\[quote(?:=[^\]]*)\].*?)?\[youtube\]http\://(.*?)youtube\.com/watch\?v\=(.*?)\[/youtube\](.*?\[/quote\])?%ie'; if(preg_match_all($RegEx, $text, $matches,PREG_SET_ORDER)){ foreach($matches as $match){ if(!empty($match[0]) && empty($match[1]) && empty($match[4])){ $text = str_replace($match[0], convert_youtube($match[2],$match[3]), $text); }else{ $url = sprintf('http://%syoutube.com/watch?v=%s',$match[2],$match[3]); $text = str_replace($match[0], sprintf('%s<a href=\'%s\' target=\"_blank\">%s</a>%s',$match[1],$url,$url,$match[4]), $text); } } } if i do "echo "hey";" it works but not any variables.. zzzzzzzzzzzzzzzzz

My Smilieys: $smilies = array( '' => 'smile.gif', '=)' => 'smile.png', ':|' => 'neutral.png', '=|' => 'neutral.png', '' => 'sad.png', '=(' => 'sad.png', '' => 'big_smile.png', '=D' => 'big_smile.png', '' => 'yikes.png', '' => 'yikes.png', '' => 'wink.png', ':/' => 'hmm.png', '' => 'tongue.png', '' => 'tongue.png', '' => 'lol.png', ':mad:' => 'mad.png', '' => 'roll.png', ':cool:' => 'cool.png'); My function to convert: function do_smilies($text) { global $pun_config, $smilies; $text = ' '.$text.' '; foreach ($smilies as $smiley_text => $smiley_img) { if (strpos($text, $smiley_text) !== false) $text = ucp_preg_replace('%(?<=[>\s])'.preg_quote($smiley_text, '%').'(?=[^\p{L}\p{N}])%um', '<img src="'.pun_htmlspecialchars(get_base_url(true).'/img/smileys/'.$smiley_img).'" alt="'.substr($text, 0, strrpos($text, '.')).'" />', $text); } return substr($text, 1, -1); } I am trying to make the alt='' Can you help me please? I tried $text, but then it just foreaches it and converts it again Im trying to put the smiley code inside the alt tag.

but I have no idea where they are doing the query's from! so Iuno what query to give you!! Here is one from a gold mod I made. function buyticket() { global $ibforums, $DB, $std, $print; // Newmans checker lol if ($ibforums->input['amount'] < 0){ $std->Error2("Stop being nawty"); } /// //Figure out the id and send variables for each if (!$ibforums->input['id']){ $std->Error2("Stop trying to be nawty...."); } switch ($ibforums->input['id']){ case "1"; $name = "100FG Scratch Ticket(s)"; $cost = "10"; $redirect = 'Scratch Ticket'; break; case "2"; $name = "1,000FG Scratch Ticket(s)"; $cost = "125"; $redirect = 'Scratch Ticket'; break; case "3"; $name = "Name Stylizer Ticket"; $cost = "1500"; $redirect = 'Name Stylizer'; break; case "4"; $name = "Goodie Bag"; $redirect = 'Goodie Bag'; $cost = "1699"; break; } If (isset($ibforums->input['amount']) AND $ibforums->input['amount'] > "100"){ $std->Error2("You can only buy a max of 100 Tickets"); }else{ } If (isset($ibforums->input['amount'])){ $amount2 = $ibforums->input['amount']; }else{ $ibforums->input['amount'] = "1"; $amount2 = '1'; } $amount = $cost*$ibforums->input['amount']; $newamount = $amount; if ($ibforums->member['gold'] < $amount) { $std->Error2("You do not have enough Forum Gold you need, $amount"); }else{ //Check if they already have the item $DB->query("SELECT item_id from items where user_id = {$ibforums->member['id']} AND item_id = {$ibforums->input['id']}"); $r2 = $DB->fetch_row(); if ($r2['item_id'] == $ibforums->input['id']){ //Just update and give them quantity +1 $DB->query("UPDATE items SET quantity=quantity+$amount2,comment='Bought $name' WHERE user_id={$ibforums->member['id']} AND item_id = {$ibforums->input['id']}"); $DB->query("UPDATE ibf_members SET gold=gold-$amount WHERE id={$ibforums->member['id']}"); $db_string = $std->compile_db_string( array( 'to_id' => "0", 'from_id' => "{$ibforums->member['id']}", 'comments' => "Bought {$amount2}x $name", //Date 'date' => time(), //0 -> Store 1 -> Receieved 2 -> Sent 'amount' => "$newamount", ) ); $DB->query("INSERT INTO gold_logs (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")"); $print->redirect_screen("$redirect Purchased", 'a=Shop&action=MyItems'); }else{ $DB->query("UPDATE ibf_members SET gold=gold-$amount WHERE id={$ibforums->member['id']}"); $db_string = $std->compile_db_string( array( 'to_id' => "0", 'from_id' => "{$ibforums->member['id']}", 'comments' => "Bought {$amount2}x $name", //Date 'date' => time(), //0 -> Store 1 -> Receieved 2 -> Sent 'amount' => "$newamount", ) ); $DB->query("INSERT INTO gold_logs (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")"); $db_string = $std->compile_db_string( array( 'item_id' => "{$ibforums->input['id']}", 'user_id' => "{$ibforums->member['id']}", 'from_id' => "0", 'date' => time(), 'quantity' => ''.$amount2.'', 'comment' => "{$name}", ) ); $DB->query("INSERT INTO items (" .$db_string['FIELD_NAMES']. ") VALUES (". $db_string['FIELD_VALUES'] .")"); $print->redirect_screen("$redirect Purchased", 'a=Shop&action=MyItems'); } } $this->output .= <<< LOL LOL; } Now, see the problem is, they cant access those queries unless they have gold on there account am I right? the hacker has no gold on his profile so i know he didn't use this okay heres another query in the profile settings //Make sure no1 comes in... //Update the star they chose.. if (isset($ibforums->input['remove'])) { $DB->query("UPDATE ibf_members set star='' WHERE id='".$this->member['id']."'"); $print->redirect_screen("Your star has been removed.", "a=[]&c=Donor"); } if (isset($ibforums->input['star'])) { // Newmans checker lol if ($ibforums->input['star'] < 0){ $std->Error2("Stop being nawty"); } if ($ibforums->input['star'] > $this->member['max_stars']){ //They trying to hack my stars... $std->Error2("You cannot choose a star you don't have access to..."); }else{ $DB->query("UPDATE ibf_members set star='{$ibforums->input['star']}' WHERE id='".$this->member['id']."'"); } would that be vulnerable ? but the hacker had a max_Stars of 0 anyway.... so how could they get in? but in general are queries like this vulnerable? but isnt the $ibforums input alrdy escaped? or should i use mysql_real_escape on it again? i dont get it

i have tons of queries as this forum software is from 2001 here is a random code that works to pull all the data from the index to show the forum categorys $DB->query("SELECT f.*, f.name as forum_name, f.id as forum_id, f.posts as forum_posts, f.topics as forum_topics, t.*, c.name as cat_name, c.id as cat_id, c.state as cat_state FROM ibf_topics t, ibf_forums f , ibf_categories c WHERE t.tid=".$ibforums->input['t']." and f.id = t.forum_id and f.category=c.id"); $ibforums is a global var: $ibforums->input = $std->parse_incoming(); parse_incoming is: function parse_incoming() { global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_CLIENT_IP, $REQUEST_METHOD, $REMOTE_ADDR, $HTTP_PROXY_USER, $HTTP_X_FORWARDED_FOR; $return = array(); if( is_array($HTTP_GET_VARS) ) { while( list($k, $v) = each($HTTP_GET_VARS) ) { //-- mod_sec_update_131 begin if (strpos($k, "amp;") === 0) $k = substr($k, 4); //-- mod_sec_update_131 end if ( $k == 'INFO' ) { continue; } if( is_array($HTTP_GET_VARS[$k]) ) { while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) ) { $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2); } } else { $return[$k] = $this->clean_value($v); } } } // Overwrite GET data with post data if( is_array($HTTP_POST_VARS) ) { while( list($k, $v) = each($HTTP_POST_VARS) ) { if ( is_array($HTTP_POST_VARS[$k]) ) { while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) ) { $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2); } } else { $return[$k] = $this->clean_value($v); } } } //---------------------------------------- // Sort out the accessing IP // (Thanks to Cosmos and schickb) //---------------------------------------- $addrs = array(); foreach( array_reverse( explode( ',', $HTTP_X_FORWARDED_FOR ) ) as $x_f ) { $x_f = trim($x_f); if ( preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $x_f ) ) { $addrs[] = $x_f; } } $addrs[] = $_SERVER['REMOTE_ADDR']; $addrs[] = $HTTP_PROXY_USER; $addrs[] = $REMOTE_ADDR; //header("Content-type: text/plain"); print_r($addrs); print $_SERVER['HTTP_X_FORWARDED_FOR']; exit(); $return['IP_ADDRESS'] = $this->select_var( $addrs ); // Make sure we take a valid IP address $return['IP_ADDRESS'] = preg_replace( "/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/", "\\1.\\2.\\3.\\4", $return['IP_ADDRESS'] ); $return['request_method'] = ( $_SERVER['REQUEST_METHOD'] != "" ) ? strtolower($_SERVER['REQUEST_METHOD']) : strtolower($REQUEST_METHOD); return $return; } Now see $ibforums->input is a cleaned value? But is that query still vulnerable? this is the class for $DB->query: function query($the_query, $bypass=0) { //-------------------------------------- // Change the table prefix if needed //-------------------------------------- if ($bypass != 1) { if ($this->obj['sql_tbl_prefix'] != "ibf_") { $the_query = preg_replace("/ibf_(\S+?)([\s\.,]|$)/", $this->obj['sql_tbl_prefix']."\\1\\2", $the_query); } } if ($this->obj['debug']) { global $Debug, $ibforums; $Debug->startTimer(); } $this->query_id = mysql_query($the_query, $this->connection_id); if (! $this->query_id ) { $this->fatal_error("mySQL query error: $the_query"); } if ($this->obj['debug']) { $endtime = $Debug->endTimer(); if ( preg_match( "/^select/i", $the_query ) ) { $eid = mysql_query("EXPLAIN $the_query", $this->connection_id); $ibforums->debug_html .= "<table width='95%' border='1' cellpadding='6' cellspacing='0' bgcolor='#FFE8F3' align='center'> <tr> <td colspan='8' style='font-size:14px' bgcolor='#FFC5Cb'><b>Select Query</b></td> </tr> <tr> <td colspan='8' style='font-family:courier, monaco, arial;font-size:14px;color:black'>$the_query</td> </tr> <tr bgcolor='#FFC5Cb'> <td><b>table</b></td><td><b>type</b></td><td><b>possible_keys</b></td> <td><b>key</b></td><td><b>key_len</b></td><td><b>ref</b></td> <td><b>rows</b></td><td><b>Extra</b></td> </tr>\n"; while( $array = mysql_fetch_array($eid) ) { $type_col = '#FFFFFF'; if ($array['type'] == 'ref' or $array['type'] == 'eq_ref' or $array['type'] == 'const') { $type_col = '#D8FFD4'; } else if ($array['type'] == 'ALL') { $type_col = '#FFEEBA'; } $ibforums->debug_html .= "<tr bgcolor='#FFFFFF'> <td>$array[table] </td> <td bgcolor='$type_col'>$array[type] </td> <td>$array[possible_keys] </td> <td>$array[key] </td> <td>$array[key_len] </td> <td>$array[ref] </td> <td>$array[rows] </td> <td>$array[Extra] </td> </tr>\n"; } if ($endtime > 0.1) { $endtime = "<span style='color:red'><b>$endtime</b></span>"; } $ibforums->debug_html .= "<tr> <td colspan='8' bgcolor='#FFD6DC' style='font-size:14px'><b>mySQL time</b>: $endtime</b></td> </tr> </table>\n<br />\n"; } else { $ibforums->debug_html .= "<table width='95%' border='1' cellpadding='6' cellspacing='0' bgcolor='#FEFEFE' align='center'> <tr> <td style='font-size:14px' bgcolor='#EFEFEF'><b>Non Select Query</b></td> </tr> <tr> <td style='font-family:courier, monaco, arial;font-size:14px'>$the_query</td> </tr> <tr> <td style='font-size:14px' bgcolor='#EFEFEF'><b>mySQL time</b>: $endtime</span></td> </tr> </table><br />\n\n"; } } $this->query_count++; $this->obj['cached_queries'][] = $the_query; return $this->query_id; } I have these queries like this all over my board , tons of them..... I know it's probably so vulnerable, any "eye" noticable fixes that are vulnerable off the bat? Is there any way I can add the mysql_real_escape string to the global $DB->query function?