Jump to content


This topic is now archived and is closed to further replies.


Preventing XSS with $_POST?

Recommended Posts

I have a website with Flash games on it that uploads scores in a few of the games to MySQL database tables. Though recently a friend showed me he can preform cross-site scripting and insert scores via a carefully designed form via websites and Javascripts by using my PHP file. Usually I know what to do with these things, but for some reason I can't figure this one out, or maybe I don't have a very good start at all. How can I make sure (with the following script) that the Flash files on my website are the only files utilizing a PHP file?

If it helps, here's the PHP file...

[code]$name_max = 16; # Maximum player name length allowed
$display_max = 100; # Maximum number of scores to display (multiple of 10)
$table_max = 125; # Maximum number of scores kept in table

function error_msg($msg)

$player_name = $_POST['name'];
$player_score = $_POST['score'];
$game_name = $_POST['game'];

$table_name = 'games_' . strtolower($game_name);
$player_ip = $_SERVER['REMOTE_ADDR'];
if (!isset($game_name)) error_msg('Could not access game table.');
$link = @mysql_pconnect($db_hostname, $db_username, $db_password) or error_msg('Could not connect to database.');
mysql_select_db($db_name) or error_msg('Could not access database.');
# Saving new score?
if (isset($player_score) && is_numeric($player_score) && isset($player_name) && strlen($player_name) > 0 && strlen($player_name) <= $name_max)
   # Is this IP banned?
   $query = mysql_query('SELECT ip FROM games_banned_ip') or error_msg('Could not access database.');
   while ($row = mysql_fetch_row($query))
      if ($player_ip == $row[0]) error_msg('Sorry, high scores have been disabled for your computer.');
   # Has this name played already?
   $query = mysql_query("SELECT name, score FROM $table_name") or error_msg('Could not access database.');
   $num_rows = mysql_num_rows($query);
   $name_found = false;
   while ($row = mysql_fetch_row($query))
      if ($player_name == $row[0])
         $name_found = true;
   if ($name_found)
      # If name already exists, and score is good enough, update it
      if (((int)$player_score) > ((int)$row[1])) mysql_query("UPDATE $table_name SET score='$player_score' WHERE name='$player_name'") or error_msg('Could not update score.');
      # If scores table is full, check score and delete lowest entry before inserting
      if ($num_rows >= $table_max)
         $query = mysql_query("SELECT name, score FROM $table_name ORDER BY score ASC LIMIT 0, 1") or error_msg('Could not retrieve scores.');
         $row = mysql_fetch_row($query);
         $good_score = (((int)$player_score) > ((int)$row[1]));
         if ($good_score) mysql_query("DELETE FROM $table_name WHERE name='$row[0]'") or error_msg('Could not delete score.');
      else $good_score = true;
      # Insert new name, score and ip
      if ($good_score) mysql_query("INSERT INTO $table_name VALUES ('$player_name', '$player_score', '$player_ip')") or error_msg('Could not insert score.');
# Return new scores table
$query = mysql_query("SELECT name, score FROM $table_name ORDER BY score DESC LIMIT 0, $display_max") or error_msg('Could not retrieve scores.');
$i = 1;
echo 'success=1&errorMsg=OK&maxScore=' . $display_max;
while ($row = mysql_fetch_row($query))
   echo "&name$i=$row[0]&score$i=$row[1]";

Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.