Jump to content

[SOLVED] form input hack

EchoFool

By EchoFool
in PHP Coding Help

 Share

Recommended Posts

EchoFool Advanced Member

EchoFool

Posted
Posted

I don't know how but a user managed to input "something" into my script which got through all my validation yet he still managed to get a number input which according to my logs says +99999999  (dont know how the + got through)!

 

 

I have this as a validation check:

 

$StrengthInputOriginal = mysql_real_escape_string($_POST['strength']);
If($StrengthInputOriginal == '' OR !(number_format($StrengthInputOriginal))){
$StrengthInputOriginal = 0;
}

 

The log of the user shows:

 

Trained agility input +9999999999999 for gain of 8896888888890

 

How could such a number get through i even check its not that high of a number be he still managed it =/

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

I'm not sure but maybe the number_format accepts the '+' sign because it's thinking they're assigning it a positive value.  ???  You might be better off checking it with a regular expression as well.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

I'm assuming the database field is set as an int type. If that's the case you only need to verify that the input is an integer - no need for mysql_real_escape_string().

 

And, number_format() would have no effect in the manner in which you are using it. According to the manual its oly return values are "A formatted version of number." So, it doesn't return false if the value is not a properly formatted number.

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

Do not use number_format or is_numeric because they both will accept the '+'  and '-' signs.  I suggest you use a regex if you want purely numbers.  This way you could make the input field more precise.

Link to comment
Share on other sites
EchoFool Advanced Member

EchoFool

Posted
  • Author
Posted 

<input type="text" size="16" name="strength" value="">

 

 

<?php
$StrengthInputOriginal = mysql_real_escape_string($_POST['strength']);
If($StrengthInputOriginal == '' OR !(is_int($StrengthInputOriginal)) OR strlen($StrengthInputOriginal)>2){
$StrengthInputOriginal = 0;
}
?>

 

This doesn't seem to accept any number i put in.. it just gives me 0 every time :S

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

number_format does not return TRUE/FALSE, it returns a number...

 

maybe you should try is_numeric()

 

Like I said is_numeric will accept the '+' sign.

 

Finds whether the given variable is numeric. Numeric strings consist of optional sign, any number of digits, optional decimal part and optional exponential part. Thus +0123.45e6 is a valid numeric value.

 

You should use the regex that DW provided.

Link to comment
Share on other sites
EchoFool Advanced Member

EchoFool

Posted
  • Author
Posted
Warning: preg_match() [function.preg-match]: No ending delimiter '^' found in gymstat.php on line 23

 

My val:

 

<?php
$StrengthInputOriginal = mysql_real_escape_string($_POST['strength']);
If(!(preg_match('^\d+$', $StrengthInputOriginal))) {
$StrengthInputOriginal = 0;
}
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.