asmith Posted January 27, 2008 Share Posted January 27, 2008 hey guys i will be working with paypal ,and i will work on some script which would pay the site users from the site paypal account . users will be allowed to specify an amount with a limit of a number recorded in mysql . for example if a user have "5$ discount" . he can transfer no more than 5 $ and ... i was wondering what things should i be careful about ? i mean in any chance a user could crack mysql (i don't know how except injections) , and update his "5" to "50" or "500" , then ... any tips for what things i must be careful about ? ( i have no file uploading on the site (except my forum has, which is in another database with another sql user) . and all the text inputs has been verified, so no one can use my html text inputs for injections) P.s. any difference i between i use myisam tables or innodb ? thanks Quote Link to comment https://forums.phpfreaks.com/topic/88007-security/ Share on other sites More sharing options...
laffin Posted January 27, 2008 Share Posted January 27, 2008 u have to secure / validate any external variables. example [code]<?php $number=$_GET['number']; echo "$number X 5 = ". $number*5; mysql_query("UPDATE table SET number=$number WHERE id=1"); ?> this is very insecure, because we didnt validate $number. in the echo statement a malicious user can insert some javascript, which cud lead to hacked accts. than u have it going to a MySQL statement, without proper validation/sanitization, u risk yer whole db to be hacked. <?php function validate_number($number,$min=0,$max=100) { $number=intval($number); if($number<$min) $number=$min; if($number>$max) $number=$max; return $number; } $number=validate_number($_GET['number'],1,10); echo "$number X 5 = ". $number*5; mysql_query("UPDATE table SET number=$number WHERE id=1"); ?> intval converts a value into an integer. what the script is expecting. the min/max is a sample of validating our extternal variable and forcing it to conform to what we expect it to be. There is a lot more to Injection attacks but this is just a simple example[/code] Quote Link to comment https://forums.phpfreaks.com/topic/88007-security/#findComment-450330 Share on other sites More sharing options...
asmith Posted January 27, 2008 Author Share Posted January 27, 2008 thanks laffin for taking time and write those codes . actually i have fully validating the GET variables and also those variables are not going to my sql . there's no java script using but for the page view , so almost no java script i have used. and there's no text field that hasn't pass my fully validation. i was just wondering , maybe some other tips were available , not about injections with variables . Quote Link to comment https://forums.phpfreaks.com/topic/88007-security/#findComment-450343 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.