CrackFeed.Com
Account Closed
- Impact
- 12
Ok, you have a set of scripts that have NO data validation. Place this at the beginning of each script. The first snippet is for scripts that do not require Register_Globals.
This is for scripts that DO require Register_Globals, and by using this snippet you can now KILL Register_Globals!
This code prevents cross site scripting and what not, but does NOT prevent SQL injections. You will need to call mysql_real_escape_string() for each variable before inserting into sql. These do mimic Register_Globals, but also secures your stuff.
PHP:
if (!function_exists('vdataLite')) {
function vdataLite($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$search = array('javascript:',
'document.location',
'vbscript:',
'?php');
$value = str_replace($search, '', $value);
$value = htmlentities(strip_tags(trim($value)));
}
return $value;
}
}
foreach ($_GET as $get_key => $get_value) {
$_GET[$get_key] = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
$_POST[$post_key] = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
$_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
$_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);
}
This is for scripts that DO require Register_Globals, and by using this snippet you can now KILL Register_Globals!
PHP:
if (!function_exists('vdataLite')) {
function vdataLite($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$search = array('javascript:',
'document.location',
'vbscript:',
'?php');
$value = str_replace($search, '', $value);
$value = htmlentities(strip_tags(trim($value)));
}
return $value;
}
}
foreach ($_GET as $get_key => $get_value) {
$$get_key = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
$$post_key = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
$$cookie_key = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
$$session_key = vdataLITE($_SESSION[$session_key]);
}
This code prevents cross site scripting and what not, but does NOT prevent SQL injections. You will need to call mysql_real_escape_string() for each variable before inserting into sql. These do mimic Register_Globals, but also secures your stuff.
Last edited: