Aldaron Posted March 4, 2006 Share Posted March 4, 2006 I have a website with Flash games on it that uploads scores in a few of the games to MySQL database tables. Though recently a friend showed me he can preform cross-site scripting and insert scores via a carefully designed form via websites and Javascripts by using my PHP file. Usually I know what to do with these things, but for some reason I can't figure this one out, or maybe I don't have a very good start at all. How can I make sure (with the following script) that the Flash files on my website are the only files utilizing a PHP file?If it helps, here's the PHP file...[code]$name_max = 16; # Maximum player name length allowed$display_max = 100; # Maximum number of scores to display (multiple of 10)$table_max = 125; # Maximum number of scores kept in tablefunction error_msg($msg){ exit("success=0&errorMsg=$msg");}$player_name = $_POST['name'];$player_score = $_POST['score'];$game_name = $_POST['game'];$table_name = 'games_' . strtolower($game_name);$player_ip = $_SERVER['REMOTE_ADDR'];if (!isset($game_name)) error_msg('Could not access game table.');require_once("db.php");$link = @mysql_pconnect($db_hostname, $db_username, $db_password) or error_msg('Could not connect to database.');mysql_select_db($db_name) or error_msg('Could not access database.');# Saving new score?if (isset($player_score) && is_numeric($player_score) && isset($player_name) && strlen($player_name) > 0 && strlen($player_name) <= $name_max){ # Is this IP banned? $query = mysql_query('SELECT ip FROM games_banned_ip') or error_msg('Could not access database.'); while ($row = mysql_fetch_row($query)) { if ($player_ip == $row[0]) error_msg('Sorry, high scores have been disabled for your computer.'); } # Has this name played already? $query = mysql_query("SELECT name, score FROM $table_name") or error_msg('Could not access database.'); $num_rows = mysql_num_rows($query); $name_found = false; while ($row = mysql_fetch_row($query)) { if ($player_name == $row[0]) { $name_found = true; break; } } if ($name_found) { # If name already exists, and score is good enough, update it if (((int)$player_score) > ((int)$row[1])) mysql_query("UPDATE $table_name SET score='$player_score' WHERE name='$player_name'") or error_msg('Could not update score.'); } else { # If scores table is full, check score and delete lowest entry before inserting if ($num_rows >= $table_max) { $query = mysql_query("SELECT name, score FROM $table_name ORDER BY score ASC LIMIT 0, 1") or error_msg('Could not retrieve scores.'); $row = mysql_fetch_row($query); $good_score = (((int)$player_score) > ((int)$row[1])); if ($good_score) mysql_query("DELETE FROM $table_name WHERE name='$row[0]'") or error_msg('Could not delete score.'); } else $good_score = true; # Insert new name, score and ip if ($good_score) mysql_query("INSERT INTO $table_name VALUES ('$player_name', '$player_score', '$player_ip')") or error_msg('Could not insert score.'); }}# Return new scores table$query = mysql_query("SELECT name, score FROM $table_name ORDER BY score DESC LIMIT 0, $display_max") or error_msg('Could not retrieve scores.');$i = 1;echo 'success=1&errorMsg=OK&maxScore=' . $display_max;while ($row = mysql_fetch_row($query)){ echo "&name$i=$row[0]&score$i=$row[1]"; $i++;}mysql_close($link);[/code] Quote Link to comment https://forums.phpfreaks.com/topic/4067-preventing-xss-with-_post/ Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.