Urgent help please (Experts)

Zubair1 · 12-21-2005, 06:12 PM

Hello,
I need help on a security filter script / access logging.
????: NamePros.com http://www.namepros.com/programming/150206-urgent-help-please-experts.html
A script that will filter all incomming $_POST and $_GET data. Check every variable for data manipulation, cross site scripting vulnerabilities, sql injection and all standard php vulnerabilities.
Script should output original $_POST and $_GET arrays with malicious characters/code removed or replaced by it's equivalent. The script should not die() or exit(). If malicious code found, issue javascript alert and redirect to page where it came from, notify admin via email. Also, create an array for variables which shouldn't be processed by the script which can be passed to the script in terms of global variables.
This script will be included in files.
It has to contain routine for access logging. IP,DATE,TIME,REFERRER,URI_STRING,QUERY_STRING,GET, POST,
SESSION data. Storing --- DB. Design DB table for it.

Please help or make a sort of script and i can give the person
points about 100 $NP or maybe even 200 $NP

Would really appreicate any help

Regards,

aznchong91 · 12-21-2005, 06:44 PM

well, here's a simple script to screen the incoming $_POST and $_GET variables, I don't know what else you need:

PHP Code:

  <?php 

foreach($_GET as $key=>$value) {

    $_GET[$key] = addslashes(trim(htmlspecialchars($value)));

????: NamePros.com http://www.namepros.com/showthread.php?t=150206
}

foreach($_POST as $key=>$value) {

    $_POST[$key] = addslashes(trim(htmlspecialchars($value)));

}

?>

mholt · 12-21-2005, 08:27 PM

SQL Injection Prevention, basic:

mysql_real_escape_string($variable);

nick · 12-21-2005, 09:24 PM

i think hes asking how to CHECK if somone is trying to "hack"

not prevent it

Zubair1 · 12-21-2005, 09:39 PM

Originally Posted by ninedogger

i think hes asking how to CHECK if somone is trying to "hack"
????: NamePros.com http://www.namepros.com/showthread.php?t=150206

not prevent it

no i am not needing it to hack,
i need it to secure my script it will be included in the files
I need a script to check for incoming data by GET & POST super globals
and check for every variable data manuplation, cross site scripting vunerabilities, sql injections and all the other standard php vunerabilities.

the script should output the variables removing all the malicous stuff from it
or replacing it with its equalvent.

Also, create an array for variables in the script which shouldn't be processed by the script which can be passed to the script in terms of global variables.

Would really appreicate some one can do this for me

Regards,

aznchong91 · 12-21-2005, 11:33 PM

well, to do the first part of what you wanted, just use the code I posted earlier. Somebody else that knows how can add the rest you need, because I don't.

Zubair1 · 12-22-2005, 05:49 AM

Originally Posted by aznchong91

well, to do the first part of what you wanted, just use the code I posted earlier. Somebody else that knows how can add the rest you need, because I don't.

ok thanks aznchong91
????: NamePros.com http://www.namepros.com/showthread.php?t=150206
i am donating some $np's to your account.....really appreicate the help

can anyone else complete this?

Regards,

idreaminhex · 12-24-2005, 11:19 AM

The first object of good script design is to only handle what you expect. If your script creates / processes a form. Then you know what to expect. The second object of good script design is to CAST name value pairs so they only contain what they should. People spend to much time on testing variables when they should auto CAST them so they don't need to worry about them during the rest of the script process!
????: NamePros.com http://www.namepros.com/showthread.php?t=150206

So what I am saying...

If it by POST then use POST, if it's by GET use GET, if a value is INT, cast as INT, if a value is a STR, NO HTML, then strip it so it only contains what you want it to. If it's a STR, HTML then encode it. If a element is missing then create it. After unset() all the SUPER GLOBALS to maintain smart memory usage and continue with the script process!

You can create a simple 7 or 8 line function to do this, it will save you much time but more importantly it will make your scripts faster and much easier to manage!

John

12-21-2005, 06:12 PM	THREAD STARTER #1 (permalink)
Zubair1 NamePros Regular Join Date: Mar 2005 Posts: 912	Urgent help please (Experts) Hello, I need help on a security filter script / access logging. ????: NamePros.com http://www.namepros.com/programming/150206-urgent-help-please-experts.html A script that will filter all incomming $_POST and $_GET data. Check every variable for data manipulation, cross site scripting vulnerabilities, sql injection and all standard php vulnerabilities. Script should output original $_POST and $_GET arrays with malicious characters/code removed or replaced by it's equivalent. The script should not die() or exit(). If malicious code found, issue javascript alert and redirect to page where it came from, notify admin via email. Also, create an array for variables which shouldn't be processed by the script which can be passed to the script in terms of global variables. This script will be included in files. It has to contain routine for access logging. IP,DATE,TIME,REFERRER,URI_STRING,QUERY_STRING,GET, POST, SESSION data. Storing --- DB. Design DB table for it. Please help or make a sort of script and i can give the person points about 100 $NP or maybe even 200 $NP Would really appreicate any help Regards, __________________ Live Support : Zubair11 [at] hotmail.com Free SEO Directory! \|\| Free Online TV \|\| Tech Blog Web Design & Web Development Services \|\| Reliable Web Hosting

12-21-2005, 06:44 PM	#2 (permalink)
aznchong91 Senior Member Join Date: Nov 2005 Location: Hong Kong Posts: 1,154	well, here's a simple script to screen the incoming $_POST and $_GET variables, I don't know what else you need: PHP Code: `<?php foreach($_GET as $key=>$value) { $_GET[$key] = addslashes(trim(htmlspecialchars($value))); ????: NamePros.com http://www.namepros.com/showthread.php?t=150206 } foreach($_POST as $key=>$value) { $_POST[$key] = addslashes(trim(htmlspecialchars($value))); } ?>` __________________ If you're as bored as I am, join me in Fallensword! (I swear, this game is actually pretty fun :P)

12-21-2005, 09:24 PM	#4 (permalink)
nick NamePros Regular Join Date: Jun 2004 Location: Iowa City Posts: 705	i think hes asking how to CHECK if somone is trying to "hack" not prevent it __________________ formally ninedogger ------ Want to talk to a stranger? -->\| Click Here \| TalkToAStranger.com \| <-- Meet New Friends

12-21-2005, 11:33 PM	#6 (permalink)
aznchong91 Senior Member Join Date: Nov 2005 Location: Hong Kong Posts: 1,154	well, to do the first part of what you wanted, just use the code I posted earlier. Somebody else that knows how can add the rest you need, because I don't. __________________ If you're as bored as I am, join me in Fallensword! (I swear, this game is actually pretty fun :P)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
please, urgent! www.CiberArt.com	sabbella	Domain Appraisals	1	05-27-2005 05:36 AM
Urgent Vbulletin Forum Help Required! Please Help!	Billy!	Programming	6	01-12-2005 04:25 AM
hackbox.com , Please appraise, Urgent	suthra	Domain Appraisals	4	10-13-2004 07:59 PM
Urgent! Wanted! Forum Skin Design, Hacks, For a Car Forum! Urgent!	Billy!	Web Design Discussion	0	10-13-2004 03:50 AM
==== URGENT !!! MAMBO fans or experts wanted ===	johnn	For Sale / Advertising Board	1	04-02-2004 05:29 PM

12-21-2005, 08:27 PM	#3 (permalink)
mholt DNOA Member Join Date: May 2004 Posts: 5,040	SQL Injection Prevention, basic: mysql_real_escape_string($variable);

12-24-2005, 11:19 AM	#8 (permalink)
idreaminhex New Member Join Date: Dec 2005 Posts: 3	The first object of good script design is to only handle what you expect. If your script creates / processes a form. Then you know what to expect. The second object of good script design is to CAST name value pairs so they only contain what they should. People spend to much time on testing variables when they should auto CAST them so they don't need to worry about them during the rest of the script process! ????: NamePros.com http://www.namepros.com/showthread.php?t=150206 So what I am saying... If it by POST then use POST, if it's by GET use GET, if a value is INT, cast as INT, if a value is a STR, NO HTML, then strip it so it only contains what you want it to. If it's a STR, HTML then encode it. If a element is missing then create it. After unset() all the SUPER GLOBALS to maintain smart memory usage and continue with the script process! You can create a simple 7 or 8 line function to do this, it will save you much time but more importantly it will make your scripts faster and much easier to manage! John

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)