Monkuar Posted February 24, 2012 Share Posted February 24, 2012 I need to secure my code more $_POST['amount'] = intval($_POST['amount']); if ($_POST['amount'] <= 0){ message($lang_common['Bad request']); } if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } $_POST['amount'] will be the amount of gold people will beable to send to each other. any sql injections vulnerability right now? if so, help i casted my intval and is_numeric on it any other ways to secure it with php functions as of right now it can only be numeric right? Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/ Share on other sites More sharing options...
requinix Posted February 24, 2012 Share Posted February 24, 2012 You intval()ed it. There's nothing else you have to do - including is_numeric() on it, because it will always be numeric (you made it so). Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/#findComment-1320689 Share on other sites More sharing options...
Monkuar Posted February 24, 2012 Author Share Posted February 24, 2012 You intval()ed it. There's nothing else you have to do - including is_numeric() on it, because it will always be numeric (you made it so). okay good, i just dont want to get sql injection hacked again so I am trying everything possible.... i will even be escaping my int's just because im sick of hackers Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/#findComment-1320691 Share on other sites More sharing options...
PFMaBiSmAd Posted February 24, 2012 Share Posted February 24, 2012 Also in that code, if the message() function returns to the calling code, your code doesn't actually do anything special when a negative value is detected. Any following code will still use the negative value in $_POST['amount']. Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/#findComment-1320693 Share on other sites More sharing options...
Monkuar Posted February 24, 2012 Author Share Posted February 24, 2012 Also in that code, if the message() function returns to the calling code, your code doesn't actually do anything special when a negative value is detected. Any following code will still use the negative value in $_POST['amount']. //Security $_POST['amount'] = floatval($_POST['amount']); if (!is_numeric($_POST['amount'])){ message($lang_common['Bad request']); } if ($pun_user['gold'] < $_POST['amount'] ){ message('You do not have enough Gold'); } if ($_POST['amount'] < 0){ message($lang_common['Bad request']); } Looking good now? Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/#findComment-1320700 Share on other sites More sharing options...
requinix Posted February 24, 2012 Share Posted February 24, 2012 You don't need the is_numeric() check because you just floatval()ed it. It will be numeric. Or if you want to reject the request because it wasn't numeric (probably a good idea), move the is_numeric() to before you floatval() it. Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/#findComment-1320712 Share on other sites More sharing options...
Monkuar Posted February 24, 2012 Author Share Posted February 24, 2012 You don't need the is_numeric() check because you just floatval()ed it. It will be numeric. Or if you want to reject the request because it wasn't numeric (probably a good idea), move the is_numeric() to before you floatval() it. Thank you, looking good now, i added more functions for if the user has less gold then trying to enter -> error out/etc ty Quote Link to comment https://forums.phpfreaks.com/topic/257668-help-improve-my-security/#findComment-1320713 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.