Jump to content

Recommended Posts

I need to secure my code more

 

$_POST['amount'] = intval($_POST['amount']);
if ($_POST['amount'] <= 0){
message($lang_common['Bad request']);
}
if (!is_numeric($_POST['amount'])){
message($lang_common['Bad request']);
}

 

$_POST['amount'] will be the amount of gold people will beable to send to each other.

 

any sql injections vulnerability right now? if so, help

 

i casted my intval and is_numeric on it

 

any other ways to secure it with php functions as of right now it can only be numeric right?

Link to comment
https://forums.phpfreaks.com/topic/257668-help-improve-my-security/
Share on other sites

You intval()ed it. There's nothing else you have to do - including is_numeric() on it, because it will always be numeric (you made it so).

 

okay good,

i just dont want to get sql injection hacked again so I am trying everything possible.... i will even be escaping my int's just because im sick of hackers

Also in that code, if the message() function returns to the calling code, your code doesn't actually do anything special when a negative value is detected. Any following code will still use the negative value in $_POST['amount'].

Also in that code, if the message() function returns to the calling code, your code doesn't actually do anything special when a negative value is detected. Any following code will still use the negative value in $_POST['amount'].

 

//Security
$_POST['amount'] = floatval($_POST['amount']);
if (!is_numeric($_POST['amount'])){
message($lang_common['Bad request']);
}
if ($pun_user['gold'] < $_POST['amount'] ){
message('You do not have enough Gold');
} 	
if ($_POST['amount'] < 0){
message($lang_common['Bad request']);
}

 

Looking good now?

You don't need the is_numeric() check because you just floatval()ed it. It will be numeric.

Or if you want to reject the request because it wasn't numeric (probably a good idea), move the is_numeric() to before you floatval() it.

You don't need the is_numeric() check because you just floatval()ed it. It will be numeric.

Or if you want to reject the request because it wasn't numeric (probably a good idea), move the is_numeric() to before you floatval() it.

 

Thank you,

 

looking good now,

 

i added more functions for if the user has less gold then trying to enter -> error out/etc ty

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.