asmith Posted January 27, 2008 Share Posted January 27, 2008 hey guys i will be working with paypal ,and i will work on some script which would pay the site users from the site paypal account . users will be allowed to specify an amount with a limit of a number recorded in mysql . for example if a user have "5$ discount" . he can transfer no more than 5 $ and ... i was wondering what things should i be careful about ? i mean in any chance a user could crack mysql (i don't know how except injections) , and update his "5" to "50" or "500" , then ... any tips for what things i must be careful about ? ( i have no file uploading on the site (except my forum has, which is in another database with another sql user) . and all the text inputs has been verified, so no one can use my html text inputs for injections) P.s. any difference i between i use myisam tables or innodb ? thanks Link to comment https://forums.phpfreaks.com/topic/88007-security/ Share on other sites More sharing options...
laffin Posted January 27, 2008 Share Posted January 27, 2008 u have to secure / validate any external variables. example [code]<?php $number=$_GET['number']; echo "$number X 5 = ". $number*5; mysql_query("UPDATE table SET number=$number WHERE id=1"); ?> this is very insecure, because we didnt validate $number. in the echo statement a malicious user can insert some javascript, which cud lead to hacked accts. than u have it going to a MySQL statement, without proper validation/sanitization, u risk yer whole db to be hacked. <?php function validate_number($number,$min=0,$max=100) { $number=intval($number); if($number<$min) $number=$min; if($number>$max) $number=$max; return $number; } $number=validate_number($_GET['number'],1,10); echo "$number X 5 = ". $number*5; mysql_query("UPDATE table SET number=$number WHERE id=1"); ?> intval converts a value into an integer. what the script is expecting. the min/max is a sample of validating our extternal variable and forcing it to conform to what we expect it to be. There is a lot more to Injection attacks but this is just a simple example[/code] Link to comment https://forums.phpfreaks.com/topic/88007-security/#findComment-450330 Share on other sites More sharing options...
asmith Posted January 27, 2008 Author Share Posted January 27, 2008 thanks laffin for taking time and write those codes . actually i have fully validating the GET variables and also those variables are not going to my sql . there's no java script using but for the page view , so almost no java script i have used. and there's no text field that hasn't pass my fully validation. i was just wondering , maybe some other tips were available , not about injections with variables . Link to comment https://forums.phpfreaks.com/topic/88007-security/#findComment-450343 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.