Adding security to reall crappy scripts.

CrackFeed.Com · 04-17-2010, 09:00 AM

Ok, you have a set of scripts that have NO data validation. Place this at the beginning of each script. The first snippet is for scripts that do not require Register_Globals.

PHP Code:

  if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if (!is_numeric($value)) {
            $search = array('javascript:',  
                            'document.location', 
                            'vbscript:', 
                            '?php'); 
            $value = str_replace($search, '', $value); 
            $value = htmlentities(strip_tags(trim($value)));
        }
        return $value;
    }
}

foreach ($_GET as $get_key => $get_value) {
    $_GET[$get_key] = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
    $_POST[$post_key] = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
    $_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
????: NamePros.com http://www.namepros.com/code/651483-adding-security-to-reall-crappy-scripts.html
    $_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);
}

This is for scripts that DO require Register_Globals, and by using this snippet you can now KILL Register_Globals!

PHP Code:

  if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if (!is_numeric($value)) {
            $search = array('javascript:',  
                            'document.location', 
                            'vbscript:', 
                            '?php'); 
            $value = str_replace($search, '', $value); 
            $value = htmlentities(strip_tags(trim($value)));
        }
        return $value;
    }
}

foreach ($_GET as $get_key => $get_value) {
    $$get_key = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
    $$post_key = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
    $$cookie_key = vdataLITE($_COOKIE[$cookie_key]);
????: NamePros.com http://www.namepros.com/showthread.php?t=651483
}
foreach ($_SESSION as $session_key => $session_value) {
    $$session_key = vdataLITE($_SESSION[$session_key]);
}

This code prevents cross site scripting and what not, but does NOT prevent SQL injections. You will need to call mysql_real_escape_string() for each variable before inserting into sql. These do mimic Register_Globals, but also secures your stuff.

thekooliest · 07-13-2010, 08:54 AM

Hey, I know this thread is old but it's on the first page and has a slight error from reviewing it quickly that I wanted to point out in case anyone wanted to use it. The writer only creates the function vdataLite if the function vdataLite is not already created (so it doesn't interfere with other scripts). Well if vdataLite already exists then it won't create the knew function and the 4 foreach's will most likely return errors or mess something up. So here are some fixes:

Script that does not require Register_Globals:

PHP Code:

  if (!function_exists('vdataLite')) {

    function vdataLite($value) {

        if (get_magic_quotes_gpc()) {

            $value = stripslashes($value);

        }

        if (!is_numeric($value)) {

            $search = array('javascript:',  

                            'document.location', 

                            'vbscript:', 

                            '?php'); 

????: NamePros.com http://www.namepros.com/showthread.php?t=651483
            $value = str_replace($search, '', $value); 

            $value = htmlentities(strip_tags(trim($value)));

        }

        return $value;

    }

 
    foreach ($_GET as $get_key => $get_value) {

        $_GET[$get_key] = vdataLITE($_GET[$get_key]);

    }

    foreach ($_POST as $post_key => $post_value) {

        $_POST[$post_key] = vdataLITE($_POST[$post_key]);

    }

    foreach ($_COOKIE as $cookie_key => $cookie_value) {

        $_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);

    }

    foreach ($_SESSION as $session_key => $session_value) {

        $_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);

    }  

 
}

or scripts that DO require Register_Globals:

PHP Code:

  if (!function_exists('vdataLite')) {

    function vdataLite($value) {

        if (get_magic_quotes_gpc()) {

            $value = stripslashes($value);

        }

        if (!is_numeric($value)) {

            $search = array('javascript:',  

                            'document.location', 

????: NamePros.com http://www.namepros.com/showthread.php?t=651483
                            'vbscript:', 

                            '?php'); 

            $value = str_replace($search, '', $value); 

            $value = htmlentities(strip_tags(trim($value)));

        }

        return $value;

    }

 
    foreach ($_GET as $get_key => $get_value) {

        $$get_key = vdataLITE($_GET[$get_key]);

    }

    foreach ($_POST as $post_key => $post_value) {

        $$post_key = vdataLITE($_POST[$post_key]);

    }

    foreach ($_COOKIE as $cookie_key => $cookie_value) {

        $$cookie_key = vdataLITE($_COOKIE[$cookie_key]);

    }

    foreach ($_SESSION as $session_key => $session_value) {

        $$session_key = vdataLITE($_SESSION[$session_key]);

    }  

 
}

CrackFeed.Com · 12-17-2010, 01:22 PM

Actually, it has returned no errors. Actually, if I were to place the foreach statements outside of the function, they'd get called more than once and through errors. Also, how the foreach statements work, if there are for example no cookies set, then no action will be performed and this statement will be skipped entirely.

04-17-2010, 09:00 AM	THREAD STARTER #1 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	Adding security to reall crappy scripts. Ok, you have a set of scripts that have NO data validation. Place this at the beginning of each script. The first snippet is for scripts that do not require Register_Globals. PHP Code: if (!function_exists('vdataLite')) { function vdataLite($value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $search = array('javascript:', 'document.location', 'vbscript:', '?php'); $value = str_replace($search, '', $value); $value = htmlentities(strip_tags(trim($value))); } return $value; } } foreach ($_GET as $get_key => $get_value) { $_GET[$get_key] = vdataLITE($_GET[$get_key]); } foreach ($_POST as $post_key => $post_value) { $_POST[$post_key] = vdataLITE($_POST[$post_key]); } foreach ($_COOKIE as $cookie_key => $cookie_value) { $_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]); } foreach ($_SESSION as $session_key => $session_value) { ????: NamePros.com http://www.namepros.com/code/651483-adding-security-to-reall-crappy-scripts.html $_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]); } This is for scripts that DO require Register_Globals, and by using this snippet you can now KILL Register_Globals! PHP Code: if (!function_exists('vdataLite')) { function vdataLite($value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $search = array('javascript:', 'document.location', 'vbscript:', '?php'); $value = str_replace($search, '', $value); $value = htmlentities(strip_tags(trim($value))); } return $value; } } foreach ($_GET as $get_key => $get_value) { $$get_key = vdataLITE($_GET[$get_key]); } foreach ($_POST as $post_key => $post_value) { $$post_key = vdataLITE($_POST[$post_key]); } foreach ($_COOKIE as $cookie_key => $cookie_value) { $$cookie_key = vdataLITE($_COOKIE[$cookie_key]); ????: NamePros.com http://www.namepros.com/showthread.php?t=651483 } foreach ($_SESSION as $session_key => $session_value) { $$session_key = vdataLITE($_SESSION[$session_key]); } This code prevents cross site scripting and what not, but does NOT prevent SQL injections. You will need to call mysql_real_escape_string() for each variable before inserting into sql. These do mimic Register_Globals, but also secures your stuff. Last edited by CrackFeed.Com; 04-17-2010 at 09:03 AM.

07-13-2010, 08:54 AM	#2 (permalink)
thekooliest NamePros Member Join Date: Jan 2009 Posts: 181	Hey, I know this thread is old but it's on the first page and has a slight error from reviewing it quickly that I wanted to point out in case anyone wanted to use it. The writer only creates the function vdataLite if the function vdataLite is not already created (so it doesn't interfere with other scripts). Well if vdataLite already exists then it won't create the knew function and the 4 foreach's will most likely return errors or mess something up. So here are some fixes: Script that does not require Register_Globals: PHP Code: if (!function_exists('vdataLite')) { function vdataLite($value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $search = array('javascript:', 'document.location', 'vbscript:', '?php'); ????: NamePros.com http://www.namepros.com/showthread.php?t=651483 $value = str_replace($search, '', $value); $value = htmlentities(strip_tags(trim($value))); } return $value; } foreach ($_GET as $get_key => $get_value) { $_GET[$get_key] = vdataLITE($_GET[$get_key]); } foreach ($_POST as $post_key => $post_value) { $_POST[$post_key] = vdataLITE($_POST[$post_key]); } foreach ($_COOKIE as $cookie_key => $cookie_value) { $_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]); } foreach ($_SESSION as $session_key => $session_value) { $_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]); } } or scripts that DO require Register_Globals: PHP Code: if (!function_exists('vdataLite')) { function vdataLite($value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $search = array('javascript:', 'document.location', ????: NamePros.com http://www.namepros.com/showthread.php?t=651483 'vbscript:', '?php'); $value = str_replace($search, '', $value); $value = htmlentities(strip_tags(trim($value))); } return $value; } foreach ($_GET as $get_key => $get_value) { $$get_key = vdataLITE($_GET[$get_key]); } foreach ($_POST as $post_key => $post_value) { $$post_key = vdataLITE($_POST[$post_key]); } foreach ($_COOKIE as $cookie_key => $cookie_value) { $$cookie_key = vdataLITE($_COOKIE[$cookie_key]); } foreach ($_SESSION as $session_key => $session_value) { $$session_key = vdataLITE($_SESSION[$session_key]); } }

12-17-2010, 01:22 PM	THREAD STARTER #3 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	Actually, it has returned no errors. Actually, if I were to place the foreach statements outside of the function, they'd get called more than once and through errors. Also, how the foreach statements work, if there are for example no cookies set, then no action will be performed and this statement will be skipped entirely.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)