EchoFool Posted October 19, 2008 Share Posted October 19, 2008 I don't know how but a user managed to input "something" into my script which got through all my validation yet he still managed to get a number input which according to my logs says +99999999 (dont know how the + got through)! I have this as a validation check: $StrengthInputOriginal = mysql_real_escape_string($_POST['strength']); If($StrengthInputOriginal == '' OR !(number_format($StrengthInputOriginal))){ $StrengthInputOriginal = 0; } The log of the user shows: Trained agility input +9999999999999 for gain of 8896888888890 How could such a number get through i even check its not that high of a number be he still managed it =/ Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/ Share on other sites More sharing options...
Maq Posted October 19, 2008 Share Posted October 19, 2008 I'm not sure but maybe the number_format accepts the '+' sign because it's thinking they're assigning it a positive value. ??? You might be better off checking it with a regular expression as well. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669517 Share on other sites More sharing options...
EchoFool Posted October 19, 2008 Author Share Posted October 19, 2008 can you give me an example of what you mean ? Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669518 Share on other sites More sharing options...
DarkWater Posted October 19, 2008 Share Posted October 19, 2008 How about the is_numeric() function? Also, you'd probably want to create a 'range' of acceptable values. >_< Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669520 Share on other sites More sharing options...
Psycho Posted October 19, 2008 Share Posted October 19, 2008 I'm assuming the database field is set as an int type. If that's the case you only need to verify that the input is an integer - no need for mysql_real_escape_string(). And, number_format() would have no effect in the manner in which you are using it. According to the manual its oly return values are "A formatted version of number." So, it doesn't return false if the value is not a properly formatted number. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669523 Share on other sites More sharing options...
trq Posted October 19, 2008 Share Posted October 19, 2008 no need for mysql_real_escape_string(). mysql_real_escape_string should be applied to any and all user inputted data. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669524 Share on other sites More sharing options...
EchoFool Posted October 19, 2008 Author Share Posted October 19, 2008 Trained strength input +9999 for gain of 39.996 < he still got through!! Even though my gain shows 39.996 on the log its giving him like 900000 + i don't get what the hell he is inputting but its get throughts every time! How do i check its integer only. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669525 Share on other sites More sharing options...
Maq Posted October 19, 2008 Share Posted October 19, 2008 Do not use number_format or is_numeric because they both will accept the '+' and '-' signs. I suggest you use a regex if you want purely numbers. This way you could make the input field more precise. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669528 Share on other sites More sharing options...
DarkWater Posted October 19, 2008 Share Posted October 19, 2008 /^\d+$/ That would be the regex you're looking for, if you want to use that route. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669529 Share on other sites More sharing options...
EchoFool Posted October 19, 2008 Author Share Posted October 19, 2008 <input type="text" size="16" name="strength" value=""> <?php $StrengthInputOriginal = mysql_real_escape_string($_POST['strength']); If($StrengthInputOriginal == '' OR !(is_int($StrengthInputOriginal)) OR strlen($StrengthInputOriginal)>2){ $StrengthInputOriginal = 0; } ?> This doesn't seem to accept any number i put in.. it just gives me 0 every time :S Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669532 Share on other sites More sharing options...
The Little Guy Posted October 19, 2008 Share Posted October 19, 2008 number_format does not return TRUE/FALSE, it returns a number... maybe you should try is_numeric() Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669534 Share on other sites More sharing options...
Maq Posted October 19, 2008 Share Posted October 19, 2008 number_format does not return TRUE/FALSE, it returns a number... maybe you should try is_numeric() Like I said is_numeric will accept the '+' sign. Finds whether the given variable is numeric. Numeric strings consist of optional sign, any number of digits, optional decimal part and optional exponential part. Thus +0123.45e6 is a valid numeric value. You should use the regex that DW provided. Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669539 Share on other sites More sharing options...
EchoFool Posted October 19, 2008 Author Share Posted October 19, 2008 Whats the syntax for checking with regex? Is it: <?php If( (preg_match('/^\d+$/',$StrengthInputOriginal) == FALSE){ // yay }Else{ // boo } ?> Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669545 Share on other sites More sharing options...
DarkWater Posted October 19, 2008 Share Posted October 19, 2008 if (!preg_match('^\d+$', $StrengthInputOriginal) { //bad } else { //good } Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669547 Share on other sites More sharing options...
The Little Guy Posted October 19, 2008 Share Posted October 19, 2008 $str = array('a999','999','+999','99-99'); foreach($str as $s){ if(preg_match('~^[0-9]+$~',$s)){ echo $s.': good<br>'; }else{ echo $s.': bad<br>'; } } Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669550 Share on other sites More sharing options...
Maq Posted October 19, 2008 Share Posted October 19, 2008 Damnit DW, you always beat me to it! > Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669552 Share on other sites More sharing options...
EchoFool Posted October 19, 2008 Author Share Posted October 19, 2008 Warning: preg_match() [function.preg-match]: No ending delimiter '^' found in gymstat.php on line 23 My val: <?php $StrengthInputOriginal = mysql_real_escape_string($_POST['strength']); If(!(preg_match('^\d+$', $StrengthInputOriginal))) { $StrengthInputOriginal = 0; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669561 Share on other sites More sharing options...
The Little Guy Posted October 19, 2008 Share Posted October 19, 2008 <?php $StrengthInputOriginal = mysql_real_escape_string($_POST['strength']); If(!(preg_match('~^\d+$~', $StrengthInputOriginal))) { $StrengthInputOriginal = 0; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669563 Share on other sites More sharing options...
EchoFool Posted October 19, 2008 Author Share Posted October 19, 2008 Thanks everyone Quote Link to comment https://forums.phpfreaks.com/topic/129143-solved-form-input-hack/#findComment-669588 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.