R4nk3d Posted April 19, 2009 Author Share Posted April 19, 2009 ok and so do i just put this at the top of the login, register, and edit scripts? Link to comment Share on other sites More sharing options...
darkfreaks Posted April 19, 2009 Share Posted April 19, 2009 yes just call all your variables like: <?php $user= $_POST['user']; $user= array_map('stripslashes_deep',$user) //combines function with the $user variable ?> Link to comment Share on other sites More sharing options...
R4nk3d Posted April 19, 2009 Author Share Posted April 19, 2009 so tell me if my plan will work: ill put this code into 1 file in my sources directory, then include it on top of my edit, register, and login pages. Then for the variables ill just change them to what you just typed out for me. Link to comment Share on other sites More sharing options...
darkfreaks Posted April 19, 2009 Share Posted April 19, 2009 pretty much Link to comment Share on other sites More sharing options...
R4nk3d Posted April 19, 2009 Author Share Posted April 19, 2009 ok cool. thanks man. anything else you see? Link to comment Share on other sites More sharing options...
darkfreaks Posted April 19, 2009 Share Posted April 19, 2009 if your just going to use the functions with array_map() and include the functions from another file get rid of <?php if(get_magic_quotes_gpc()){} if(!get_magic_quotes_gpc()){} ?> and just array map the functions into the variables Link to comment Share on other sites More sharing options...
R4nk3d Posted April 19, 2009 Author Share Posted April 19, 2009 ok ill try it Link to comment Share on other sites More sharing options...
darkfreaks Posted April 19, 2009 Share Posted April 19, 2009 also when your done with that post the code for each page so i know that your doin it right Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 k, heres what i got now: require("./sources/string_array_maps.php"); $user = $_POST["Username"]; $pass = $_POST["Password"]; //.... continues on <?php function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING); } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?> This look right? Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 Include.php <?php function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING); } ?> page.php: [code]<?php $user = $_POST["Username"]; $user.= array_walk($user,'stripslashes_deep'); $user.= array_walk($user,'clean_post_var'); ///etc and so on/// ?> [/code] Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 ok, i dont have it exactly like that, but i do have it working, try it out Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 i see that ur tryin it, heres what it actually is putting in the database.... (screenshot) [attachment deleted by admin] Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 ok screw the array shit just do this: <?php include "functionfile.php"; $user=$_POST['user']; $user.=stripslashes_deep(clean_post_var($user)); ?> Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 haha, ok. changing now actually, now that i think about it. wouldnt making it $user .=... add it to the end? shouldnt it be $user = $_Post $user = strip....? Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 it doesnt matter if you put it all ine one variable or make it 3 variables it still works like i did it Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 it doesnt matter if you put it all ine one variable or make it 3 variables it still works like i did it no, if i put root as the username, it inputs it into the db as rootroot because im adding it again. so it needs to be $user = strip... but yeah, its working Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 uhm no its noti still see injection Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 nothin is being injected. Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 delete all the injection stuff just incase the scanner is picking it up and ill scan again Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 all those users are deleted. nothing is being injected. the user table is "users" admin = adminlevel (1 for admin) try whatever u can, i dont see it Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 scrreeenshot [attachment deleted by admin] Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 i dont see anything being injected, u cant execute any commands at all Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 i believe my scanner would beg to differ. being cocky about it is unwise. finding out why it is picking up is more smart Link to comment Share on other sites More sharing options...
darkfreaks Posted April 20, 2009 Share Posted April 20, 2009 also i would suggest reading up on PDO and MYSQLI prepared statements http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php Link to comment Share on other sites More sharing options...
R4nk3d Posted April 20, 2009 Author Share Posted April 20, 2009 alright will do Link to comment Share on other sites More sharing options...
Recommended Posts