Monkuar Posted February 21, 2012 Share Posted February 21, 2012 using this below is it safe against hackers? $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Quote Link to comment Share on other sites More sharing options...
trq Posted February 21, 2012 Share Posted February 21, 2012 You aven't shown us where $topic_id is defined. But yes, *all* user inputed data needs to be escaped before using it in *any* database query. Quote Link to comment Share on other sites More sharing options...
Monkuar Posted February 21, 2012 Author Share Posted February 21, 2012 You aven't shown us where $topic_id is defined. But yes, *all* user inputed data needs to be escaped before using it in *any* database query. srry $topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0; Still good? So I should db all my escapes even if it's already at intval? Quote Link to comment Share on other sites More sharing options...
kicken Posted February 21, 2012 Share Posted February 21, 2012 Running a value through intval() is good enough, no need to call mysql_real_escape_string on it. As an integer it can only contain digits 0-9, anything invalid would just become 0. Quote Link to comment Share on other sites More sharing options...
Monkuar Posted February 21, 2012 Author Share Posted February 21, 2012 Running a value through intval() is good enough, no need to call mysql_real_escape_string on it. As an integer it can only contain digits 0-9, anything invalid would just become 0. Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9? Quote Link to comment Share on other sites More sharing options...
premiso Posted February 21, 2012 Share Posted February 21, 2012 Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9? What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0. But inval, will allow -24 to pass through, because that is a valid integer. Quote Link to comment Share on other sites More sharing options...
Monkuar Posted February 21, 2012 Author Share Posted February 21, 2012 Is Intval also safe for hackers that try to input -24 numbers? or Negative numbers? Intval will always be 0-9? What harm can come from a negative integer? If you are worried about a negative integer being entered, check to make sure it is > 0. But inval, will allow -24 to pass through, because that is a valid integer. Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0... But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help Quote Link to comment Share on other sites More sharing options...
premiso Posted February 21, 2012 Share Posted February 21, 2012 Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0... That is not a negative integer, that is a float / double. I would not recommend converting that to an integer value anyways and you should have other checks in place for that type of logic. Generally, when someone has a question in this regard with converting a value to integer it is for an ID field type or similar, where the only harm that will be done from a negative value is it returns 0 rows. But that is why you code for your application and code in the checks needed as well as escape / filter your data. EDIT: Just saw that it was not -24.25 and it was -2425 My mistake there, either or you should have logic in place to verify that is not a negative number if it should not be negative and could adversely affect your application if it is negative. Quote Link to comment Share on other sites More sharing options...
xyph Posted February 21, 2012 Share Posted February 21, 2012 To force positive numbers you can also use $topic_id = isset($_GET['tid']) && ctype_digit($_GET['tid']) ? $_GET['tid'] : 0; This will return 0 if the string contains anything other than a digit, including the hyphen/negative sign Quote Link to comment Share on other sites More sharing options...
scootstah Posted February 21, 2012 Share Posted February 21, 2012 To force positive numbers you can also use $topic_id = isset($_GET['tid']) && ctype_digit($_GET['tid']) ? $_GET['tid'] : 0; This will return 0 if the string contains anything other than a digit, including the hyphen/negative sign You could also typecast and use abs(). $topic_id = abs((int) $_GET['tid']); Either way works. Quote Link to comment Share on other sites More sharing options...
xyph Posted February 22, 2012 Share Posted February 22, 2012 Since $_GET is populated by the client, you should check if the key exists before using it. Quote Link to comment Share on other sites More sharing options...
Psycho Posted February 22, 2012 Share Posted February 22, 2012 Yes, alot of harm can be done with a negative integer.... i've had people exploit my system before buying items with &amount=-2425 because i didn't check to make sure it was > 0... But I guess I will be using intval and if $_GET or $_POST < 0 echo out error, Thanks for the help If people are buying things you should not rely upon data submitted by the user to use as the price. you should simply have the user pass the product(s) that they are buying then you would determine the price in the code using the values you set (most likely in the DB). The logic you are wanting to use would not prevent someone from passing a 1 when the cost might be 1000. Quote Link to comment Share on other sites More sharing options...
xyph Posted February 22, 2012 Share Posted February 22, 2012 If people are buying things you should not rely upon data submitted by the user to use as the price. you should simply have the user pass the product(s) that they are buying then you would determine the price in the code using the values you set (most likely in the DB). The logic you are wanting to use would not prevent someone from passing a 1 when the cost might be 1000. I think the issue was quantity, and not cost. The person probably used this to have a negative amount credits removed from their account. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.