Jump to content

Preventing XSS with $_POST?


Aldaron

Recommended Posts

I have a website with Flash games on it that uploads scores in a few of the games to MySQL database tables. Though recently a friend showed me he can preform cross-site scripting and insert scores via a carefully designed form via websites and Javascripts by using my PHP file. Usually I know what to do with these things, but for some reason I can't figure this one out, or maybe I don't have a very good start at all. How can I make sure (with the following script) that the Flash files on my website are the only files utilizing a PHP file?

If it helps, here's the PHP file...

[code]$name_max = 16; # Maximum player name length allowed
$display_max = 100; # Maximum number of scores to display (multiple of 10)
$table_max = 125; # Maximum number of scores kept in table

function error_msg($msg)
{
   exit("success=0&errorMsg=$msg");
}

$player_name = $_POST['name'];
$player_score = $_POST['score'];
$game_name = $_POST['game'];

$table_name = 'games_' . strtolower($game_name);
$player_ip = $_SERVER['REMOTE_ADDR'];
if (!isset($game_name)) error_msg('Could not access game table.');
require_once("db.php");
$link = @mysql_pconnect($db_hostname, $db_username, $db_password) or error_msg('Could not connect to database.');
mysql_select_db($db_name) or error_msg('Could not access database.');
# Saving new score?
if (isset($player_score) && is_numeric($player_score) && isset($player_name) && strlen($player_name) > 0 && strlen($player_name) <= $name_max)
{
   # Is this IP banned?
   $query = mysql_query('SELECT ip FROM games_banned_ip') or error_msg('Could not access database.');
   while ($row = mysql_fetch_row($query))
   {
      if ($player_ip == $row[0]) error_msg('Sorry, high scores have been disabled for your computer.');
   }
   # Has this name played already?
   $query = mysql_query("SELECT name, score FROM $table_name") or error_msg('Could not access database.');
   $num_rows = mysql_num_rows($query);
   $name_found = false;
   while ($row = mysql_fetch_row($query))
   {
      if ($player_name == $row[0])
      {
         $name_found = true;
         break;
      }
   }
   if ($name_found)
   {
      # If name already exists, and score is good enough, update it
      if (((int)$player_score) > ((int)$row[1])) mysql_query("UPDATE $table_name SET score='$player_score' WHERE name='$player_name'") or error_msg('Could not update score.');
   }
   else
   {
      # If scores table is full, check score and delete lowest entry before inserting
      if ($num_rows >= $table_max)
      {
         $query = mysql_query("SELECT name, score FROM $table_name ORDER BY score ASC LIMIT 0, 1") or error_msg('Could not retrieve scores.');
         $row = mysql_fetch_row($query);
         $good_score = (((int)$player_score) > ((int)$row[1]));
         if ($good_score) mysql_query("DELETE FROM $table_name WHERE name='$row[0]'") or error_msg('Could not delete score.');
      }
      else $good_score = true;
      # Insert new name, score and ip
      if ($good_score) mysql_query("INSERT INTO $table_name VALUES ('$player_name', '$player_score', '$player_ip')") or error_msg('Could not insert score.');
   }
}
# Return new scores table
$query = mysql_query("SELECT name, score FROM $table_name ORDER BY score DESC LIMIT 0, $display_max") or error_msg('Could not retrieve scores.');
$i = 1;
echo 'success=1&errorMsg=OK&maxScore=' . $display_max;
while ($row = mysql_fetch_row($query))
{
   echo "&name$i=$row[0]&score$i=$row[1]";
   $i++;
}
mysql_close($link);[/code]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.