Adding security to reall crappy scripts.

CrackFeed.Com · Apr 17, 2010

Ok, you have a set of scripts that have NO data validation. Place this at the beginning of each script. The first snippet is for scripts that do not require Register_Globals.

PHP:

if (!function_exists('vdataLite')) {
	function vdataLite($value) {
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		if (!is_numeric($value)) {
			$search = array('javascript:',  
			                'document.location', 
			                'vbscript:', 
			                '?php'); 
			$value = str_replace($search, '', $value); 
			$value = htmlentities(strip_tags(trim($value)));
		}
		return $value;
	}
}

foreach ($_GET as $get_key => $get_value) {
	$_GET[$get_key] = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
	$_POST[$post_key] = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
	$_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
	$_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);
}

This is for scripts that DO require Register_Globals, and by using this snippet you can now KILL Register_Globals!

PHP:

if (!function_exists('vdataLite')) {
	function vdataLite($value) {
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		if (!is_numeric($value)) {
			$search = array('javascript:',  
			                'document.location', 
			                'vbscript:', 
			                '?php'); 
			$value = str_replace($search, '', $value); 
			$value = htmlentities(strip_tags(trim($value)));
		}
		return $value;
	}
}

foreach ($_GET as $get_key => $get_value) {
	$$get_key = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
	$$post_key = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
	$$cookie_key = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
	$$session_key = vdataLITE($_SESSION[$session_key]);
}

This code prevents cross site scripting and what not, but does NOT prevent SQL injections. You will need to call mysql_real_escape_string() for each variable before inserting into sql. These do mimic Register_Globals, but also secures your stuff.

thekooliest · Jul 13, 2010

Hey, I know this thread is old but it's on the first page and has a slight error from reviewing it quickly that I wanted to point out in case anyone wanted to use it. The writer only creates the function vdataLite if the function vdataLite is not already created (so it doesn't interfere with other scripts). Well if vdataLite already exists then it won't create the knew function and the 4 foreach's will most likely return errors or mess something up. So here are some fixes:

Script that does not require Register_Globals:

PHP:

if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if (!is_numeric($value)) {
            $search = array('javascript:',  
                            'document.location', 
                            'vbscript:', 
                            '?php'); 
            $value = str_replace($search, '', $value); 
            $value = htmlentities(strip_tags(trim($value)));
        }
        return $value;
    }

    foreach ($_GET as $get_key => $get_value) {
        $_GET[$get_key] = vdataLITE($_GET[$get_key]);
    }
    foreach ($_POST as $post_key => $post_value) {
        $_POST[$post_key] = vdataLITE($_POST[$post_key]);
    }
    foreach ($_COOKIE as $cookie_key => $cookie_value) {
        $_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);
    }
    foreach ($_SESSION as $session_key => $session_value) {
        $_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);
    }  

}

or scripts that DO require Register_Globals:

PHP:

if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if (!is_numeric($value)) {
            $search = array('javascript:',  
                            'document.location', 
                            'vbscript:', 
                            '?php'); 
            $value = str_replace($search, '', $value); 
            $value = htmlentities(strip_tags(trim($value)));
        }
        return $value;
    }

    foreach ($_GET as $get_key => $get_value) {
        $$get_key = vdataLITE($_GET[$get_key]);
    }
    foreach ($_POST as $post_key => $post_value) {
        $$post_key = vdataLITE($_POST[$post_key]);
    }
    foreach ($_COOKIE as $cookie_key => $cookie_value) {
        $$cookie_key = vdataLITE($_COOKIE[$cookie_key]);
    }
    foreach ($_SESSION as $session_key => $session_value) {
        $$session_key = vdataLITE($_SESSION[$session_key]);
    }  

}

CrackFeed.Com · Dec 17, 2010

Actually, it has returned no errors. Actually, if I were to place the foreach statements outside of the function, they'd get called more than once and through errors. Also, how the foreach statements work, if there are for example no cookies set, then no action will be performed and this statement will be skipped entirely.

Adding security to reall crappy scripts.

More options

CrackFeed.Com

Account Closed

thekooliest

Established Member

CrackFeed.Com

Account Closed

Similar threads

We're social

New posts

Auction activity

What non .com extensions have you sold in 2024?

Polls of interest

Popular this week

Community favorite

Popular this month

Blog favorites

Pinned

Appreciation

Agreement