Monkuar

global $counter; function regex_check_image($url="") { if (!$url) return; $url = trim($url); $default = "[img=".$url."]"; //-- mod_sec_update_131 begin $default = "[img=".str_replace( '[', '&# 091;', $url )."]"; //-- mod_sec_update_131 end $counter++; // Make sure we've not overriden the set image # limit if ($counter > 10) { message('You have posted to many Images'); exit; } if (preg_match( "/[?&;\<\[]/", $url)) { message('No Dynamic Images'); exit; } if (preg_match( "/javascript(\:|\s)/i", $url )) { message('No Dynamic Images'); exit; } // Is it a legitimate image? if (!preg_match( "/^(http|https|ftp):\/\//i", $url )) { message('No Dynamic Images'); exit; } // If we are still here.... $url = str_replace( " ", "%20", $url ); return "<img src='$url' border='0' />"; } echo $counter; exit; doesn't seem to echo out anything now, not even "1" and im copy/pasting like 30 hmmm

well those exit's are under if functions so it should be fine? I see what you mean tho I have moved the code underneath my function function regex_check_image($url="") { if (!$url) return; $url = trim($url); $default = "[img=".$url."]"; //-- mod_sec_update_131 begin $default = "[img=".str_replace( '[', '&# 091;', $url )."]"; //-- mod_sec_update_131 end $counter++; if (preg_match( "/[?&;\<\[]/", $url)) { message('No Dynamic Images'); exit; } if (preg_match( "/javascript(\:|\s)/i", $url )) { message('No Dynamic Images'); exit; } // Is it a legitimate image? if (!preg_match( "/^(http|https|ftp):\/\//i", $url )) { message('No Dynamic Images'); exit; } // If we are still here.... $url = str_replace( " ", "%20", $url ); return "<img src='$url' border='0' />"; } if ($counter > 6) { message('You have posted to many Images'); exit; } and it doesn't seem to get my variable $counter .... weird any ideas guys?

Okay, for my bbcode parser, I run through [img tags with: $text = preg_replace( "#\[img\](.+?)\[/img\]#ie" , "\\regex_check_image('\\1')" , $text ); It goes to my function regex_check_image: function regex_check_image($url="") { if (!$url) return; $url = trim($url); $default = "[img=".$url."]"; //-- mod_sec_update_131 begin $default = "[img=".str_replace( '[', '&# 091;', $url )."]"; //-- mod_sec_update_131 end $image_count++; echo $image_count; exit; if ($image_count > 6) { message('You have posted to many Images'); exit; } if (preg_match( "/[?&;\<\[]/", $url)) { message('No Dynamic Images'); exit; } if (preg_match( "/javascript(\:|\s)/i", $url )) { message('No Dynamic Images'); exit; } // Is it a legitimate image? if (!preg_match( "/^(http|https|ftp):\/\//i", $url )) { message('No Dynamic Images'); exit; } // If we are still here.... $url = str_replace( " ", "%20", $url ); return "<img src='$url' border='0' />"; } Everything works fine, but for some reason, $image_count++; echo $image_count; exit; if I have like 20 [img tags with images in them, I try to debug it, and echo it out, and it only shows "1" it should show how many [img tags I have, so I can echo out if somone is trying to spam images with the [img tag, any help?

Well everything seems to work now maniac. Here is everthing. I use the $message = parse_message($message, $errors); Then when it enters into my database: I use $db->escape($message) $db escape is just a mysql escape string return function. Then when I view the message, I dont use any parser to read it, I let html read it, because it's already been converted into html. It's not letting me submit <b>hey</b> or html tags though! so that's good! (no hackers) Here is the full parser: http://pastebin.com/DSKzHGLm the prob was I was calling the parser on $message before it entered the database twice, which was making it do weird thing. What I just explained above, is working now, html is not working and bbcode's are. I have unconvert functions though so people can edit, but will work on that later

Well because I dont want people to spam smiley images on my message board and eat up bandwidth so I only make it so people can use 7 of each smiley, all I do is wrap $db->escape(parse_message($message)) before it enters into my database, should I use the html entities thing before that? then use parse?

does function pun_htmlspecialchars($str) { return htmlspecialchars($str, ENT_QUOTES, 'UTF-8'); } This is my code: http://pastebin.com/m0gmXAfQ see my $text = pun_htmlspecialchars($text); right under global? i am calling it before?

I added $text = pun_htmlspecialchars($text); above the restof the code scoots, but it now just shows <b>hey</b> instead of actually formatting it into a bolded "b"?

Everything works fine, unless I add this stupid thing to get rid of people using HTML $text = pun_htmlspecialchars($text); Once I add that to my function, no bbcodes work at all? But I cant use html.. (which is good) but I need to beable to use BBCODE, and parse hackers from using html also, any help? MY CODE absolutely destroyed the forum page here it is: http://pastebin.com/jv7m47kn

Thank you, looking good now, i added more functions for if the user has less gold then trying to enter -> error out/etc ty

//Security $_POST['amount'] = floatval($_POST['amount']); if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } if ($pun_user['gold'] < $_POST['amount'] ){ message('You do not have enough Gold'); } if ($_POST['amount'] < 0){ message($lang_common['Bad request']); } Looking good now?

okay good, i just dont want to get sql injection hacked again so I am trying everything possible.... i will even be escaping my int's just because im sick of hackers

you sir have won the internet, congrats

$_POST['amount'] = intval($_POST['amount']); if ($_POST['amount'] < 0){ message($lang_common['Bad request']); } if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } echo $pun_user['gold']; echo '<br>'; echo $_POST['amount']; exit; if I enter 0.05 in my gold input textbox and submit it, it reads 0, it doesn't read the decimal values, i need it to read them, but I also need it to be secure and use intval.. help

I need to secure my code more $_POST['amount'] = intval($_POST['amount']); if ($_POST['amount'] <= 0){ message($lang_common['Bad request']); } if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } $_POST['amount'] will be the amount of gold people will beable to send to each other. any sql injections vulnerability right now? if so, help i casted my intval and is_numeric on it any other ways to secure it with php functions as of right now it can only be numeric right?

ok epic! thanks so much sorry i had to get u guys to explain it to me, i am just trying to figure out this injection stuff, sick of people injecting code on my forum it's pissing me off Thanks :topic re-solved

okay, so then the above would b e more secure if i did: $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; if (!intval($stick_topic)){ echo "stop hacking"; exit; } casting it as a intval only would be hack safe? should I add if ($stick_topic < 1 ){ echo "hacker trying to do negative on me now?"; exit; } make it even more secure eh? okay scootsah's so always make sure i cast integer's before input and then db escape them just to be on safe side? i really just dont want to get hacked again im escaping everything

Cast meaning as this variable will be only 1 or 0, so it's impossible to inject? if so topic solved ty

$stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1

O, RLY? http://en.wikipedia.org/wiki/APNG http://people.mozilla.com/~dolske/apng/demo.html i dont use crappy opera or firefox, so i never knew pretty cool tho thanks for sharing They are pretty worthless if the top major browsers in the world don't support them though.

.png cannot be animated images

What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0. But inval, will allow -24 to pass through, because that is a valid integer. Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0... But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

srry $topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0; Still good? So I should db all my escapes even if it's already at intval?

using this below is it safe against hackers? $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ?

function convert_youtube($code,$code1) { $youtube_count++; return '<embed src="http://'.$code.'youtube.com/v/'.$code1.'" type="application/x-shockwave-flash" wmode="transparent" width="512" height="313" allowfullscreen="true" />'; } echo $youtube_count; im trying to echo it out, i have like 5 flash videos on the bbcode parser: $RegEx = '%(\[quote(?:=[^\]]*)\].*?)?\[youtube\]http\://(.*?)youtube\.com/watch\?v\=(.*?)\[/youtube\](.*?\[/quote\])?%ie'; if(preg_match_all($RegEx, $text, $matches,PREG_SET_ORDER)){ foreach($matches as $match){ if(!empty($match[0]) && empty($match[1]) && empty($match[4])){ $text = str_replace($match[0], convert_youtube($match[2],$match[3]), $text); }else{ $url = sprintf('http://%syoutube.com/watch?v=%s',$match[2],$match[3]); $text = str_replace($match[0], sprintf('%s<a href=\'%s\' target=\"_blank\">%s</a>%s',$match[1],$url,$url,$match[4]), $text); } } } if i do "echo "hey";" it works but not any variables.. zzzzzzzzzzzzzzzzz