Jump to content


Photo

Preventing XSS with $_POST?


  • Please log in to reply
No replies to this topic

#1 Aldaron

Aldaron
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 04 March 2006 - 05:08 AM

I have a website with Flash games on it that uploads scores in a few of the games to MySQL database tables. Though recently a friend showed me he can preform cross-site scripting and insert scores via a carefully designed form via websites and Javascripts by using my PHP file. Usually I know what to do with these things, but for some reason I can't figure this one out, or maybe I don't have a very good start at all. How can I make sure (with the following script) that the Flash files on my website are the only files utilizing a PHP file?

If it helps, here's the PHP file...

$name_max = 16; # Maximum player name length allowed
$display_max = 100; # Maximum number of scores to display (multiple of 10)
$table_max = 125; # Maximum number of scores kept in table

function error_msg($msg)
{
   exit("success=0&errorMsg=$msg");
}

$player_name = $_POST['name'];
$player_score = $_POST['score'];
$game_name = $_POST['game'];

$table_name = 'games_' . strtolower($game_name);
$player_ip = $_SERVER['REMOTE_ADDR'];
if (!isset($game_name)) error_msg('Could not access game table.');
require_once("db.php");
$link = @mysql_pconnect($db_hostname, $db_username, $db_password) or error_msg('Could not connect to database.');
mysql_select_db($db_name) or error_msg('Could not access database.');
# Saving new score?
if (isset($player_score) && is_numeric($player_score) && isset($player_name) && strlen($player_name) > 0 && strlen($player_name) <= $name_max)
{
   # Is this IP banned?
   $query = mysql_query('SELECT ip FROM games_banned_ip') or error_msg('Could not access database.');
   while ($row = mysql_fetch_row($query))
   {
      if ($player_ip == $row[0]) error_msg('Sorry, high scores have been disabled for your computer.');
   }
   # Has this name played already?
   $query = mysql_query("SELECT name, score FROM $table_name") or error_msg('Could not access database.');
   $num_rows = mysql_num_rows($query);
   $name_found = false;
   while ($row = mysql_fetch_row($query))
   {
      if ($player_name == $row[0])
      {
         $name_found = true;
         break;
      }
   }
   if ($name_found)
   {
      # If name already exists, and score is good enough, update it
      if (((int)$player_score) > ((int)$row[1])) mysql_query("UPDATE $table_name SET score='$player_score' WHERE name='$player_name'") or error_msg('Could not update score.');
   }
   else
   {
      # If scores table is full, check score and delete lowest entry before inserting
      if ($num_rows >= $table_max)
      {
         $query = mysql_query("SELECT name, score FROM $table_name ORDER BY score ASC LIMIT 0, 1") or error_msg('Could not retrieve scores.');
         $row = mysql_fetch_row($query);
         $good_score = (((int)$player_score) > ((int)$row[1]));
         if ($good_score) mysql_query("DELETE FROM $table_name WHERE name='$row[0]'") or error_msg('Could not delete score.');
      }
      else $good_score = true;
      # Insert new name, score and ip
      if ($good_score) mysql_query("INSERT INTO $table_name VALUES ('$player_name', '$player_score', '$player_ip')") or error_msg('Could not insert score.');
   }
}
# Return new scores table
$query = mysql_query("SELECT name, score FROM $table_name ORDER BY score DESC LIMIT 0, $display_max") or error_msg('Could not retrieve scores.');
$i = 1;
echo 'success=1&errorMsg=OK&maxScore=' . $display_max;
while ($row = mysql_fetch_row($query))
{
   echo "&name$i=$row[0]&score$i=$row[1]";
   $i++;
}
mysql_close($link);





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users