Jump to content

is this safe?


Monkuar

Recommended Posts

using this below is it safe against hackers?

 

$post_id = intval($_GET['report']);
if ($post_id < 1)
	message($lang_common['Bad request']);

 

query:

 

	$result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error());

 

should i escape my $topic_id ?

Link to comment
Share on other sites

You aven't shown us where $topic_id is defined. But yes, *all* user inputed data needs to be escaped before using it in *any* database query.

srry

 

$topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0;

 

Still good?

 

So I should db all my escapes even if it's already at intval?

Link to comment
Share on other sites

Running a value through intval() is good enough, no need to call mysql_real_escape_string on it.  As an integer it can only contain digits 0-9, anything invalid would just become 0.

 

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

Link to comment
Share on other sites

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

 

What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0.

 

But inval, will allow -24 to pass through, because that is a valid integer.

Link to comment
Share on other sites

Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9?

 

What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0.

 

But inval, will allow -24 to pass through, because that is a valid integer.

 

Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0...

 

But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help

Link to comment
Share on other sites

Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0...

 

That is not a negative integer, that is a float / double. I would not recommend converting that to an integer value anyways and you should have other checks in place for that type of logic. Generally, when someone has a question in this regard with converting a value to integer it is for an ID field type or similar, where the only harm that will be done from a negative value is it returns 0 rows. But that is why you code for your application and code in the checks needed as well as escape / filter your data.

 

EDIT:

Just saw that it was not -24.25 and it was -2425 My mistake there, either or you should have logic in place to verify that is not a negative number if it should not be negative and could adversely affect your application if it is negative.

Link to comment
Share on other sites

To force positive numbers you can also use

 

$topic_id = isset($_GET['tid']) && ctype_digit($_GET['tid']) ? $_GET['tid'] : 0;

 

This will return 0 if the string contains anything other than a digit, including the hyphen/negative sign

Link to comment
Share on other sites

To force positive numbers you can also use

 

$topic_id = isset($_GET['tid']) && ctype_digit($_GET['tid']) ? $_GET['tid'] : 0;

 

This will return 0 if the string contains anything other than a digit, including the hyphen/negative sign

 

You could also typecast and use abs().

$topic_id = abs((int) $_GET['tid']);

 

Either way works.

Link to comment
Share on other sites

Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0...

 

But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help

 

If people are buying things you should not rely upon data submitted by the user to use as the price. you should simply have the user pass the product(s) that they are buying then you would determine the price in the code using the values you set (most likely in the DB). The logic you are wanting to use would not prevent someone from passing a 1 when the cost might be 1000.

Link to comment
Share on other sites

If people are buying things you should not rely upon data submitted by the user to use as the price. you should simply have the user pass the product(s) that they are buying then you would determine the price in the code using the values you set (most likely in the DB). The logic you are wanting to use would not prevent someone from passing a 1 when the cost might be 1000.

 

I think the issue was quantity, and not cost. The person probably used this to have a negative amount credits removed from their account.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.