Adding security to reall crappy scripts.

CrackFeed.Com · Apr 17, 2010

Ok, you have a set of scripts that have NO data validation. Place this at the beginning of each script. The first snippet is for scripts that do not require Register_Globals.

PHP:

if (!function_exists('vdataLite')) {
	function vdataLite($value) {
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		if (!is_numeric($value)) {
			$search = array('javascript:',  
			                'document.location', 
			                'vbscript:', 
			                '?php'); 
			$value = str_replace($search, '', $value); 
			$value = htmlentities(strip_tags(trim($value)));
		}
		return $value;
	}
}

foreach ($_GET as $get_key => $get_value) {
	$_GET[$get_key] = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
	$_POST[$post_key] = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
	$_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
	$_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);
}

This is for scripts that DO require Register_Globals, and by using this snippet you can now KILL Register_Globals!

PHP:

if (!function_exists('vdataLite')) {
	function vdataLite($value) {
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		if (!is_numeric($value)) {
			$search = array('javascript:',  
			                'document.location', 
			                'vbscript:', 
			                '?php'); 
			$value = str_replace($search, '', $value); 
			$value = htmlentities(strip_tags(trim($value)));
		}
		return $value;
	}
}

foreach ($_GET as $get_key => $get_value) {
	$$get_key = vdataLITE($_GET[$get_key]);
}
foreach ($_POST as $post_key => $post_value) {
	$$post_key = vdataLITE($_POST[$post_key]);
}
foreach ($_COOKIE as $cookie_key => $cookie_value) {
	$$cookie_key = vdataLITE($_COOKIE[$cookie_key]);
}
foreach ($_SESSION as $session_key => $session_value) {
	$$session_key = vdataLITE($_SESSION[$session_key]);
}

This code prevents cross site scripting and what not, but does NOT prevent SQL injections. You will need to call mysql_real_escape_string() for each variable before inserting into sql. These do mimic Register_Globals, but also secures your stuff.

thekooliest · Jul 13, 2010

Hey, I know this thread is old but it's on the first page and has a slight error from reviewing it quickly that I wanted to point out in case anyone wanted to use it. The writer only creates the function vdataLite if the function vdataLite is not already created (so it doesn't interfere with other scripts). Well if vdataLite already exists then it won't create the knew function and the 4 foreach's will most likely return errors or mess something up. So here are some fixes:

Script that does not require Register_Globals:

PHP:

if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if (!is_numeric($value)) {
            $search = array('javascript:',  
                            'document.location', 
                            'vbscript:', 
                            '?php'); 
            $value = str_replace($search, '', $value); 
            $value = htmlentities(strip_tags(trim($value)));
        }
        return $value;
    }

    foreach ($_GET as $get_key => $get_value) {
        $_GET[$get_key] = vdataLITE($_GET[$get_key]);
    }
    foreach ($_POST as $post_key => $post_value) {
        $_POST[$post_key] = vdataLITE($_POST[$post_key]);
    }
    foreach ($_COOKIE as $cookie_key => $cookie_value) {
        $_COOKIE[$cookie_key] = vdataLITE($_COOKIE[$cookie_key]);
    }
    foreach ($_SESSION as $session_key => $session_value) {
        $_SESSION[$session_key] = vdataLITE($_SESSION[$session_key]);
    }  

}

or scripts that DO require Register_Globals:

PHP:

if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if (!is_numeric($value)) {
            $search = array('javascript:',  
                            'document.location', 
                            'vbscript:', 
                            '?php'); 
            $value = str_replace($search, '', $value); 
            $value = htmlentities(strip_tags(trim($value)));
        }
        return $value;
    }

    foreach ($_GET as $get_key => $get_value) {
        $$get_key = vdataLITE($_GET[$get_key]);
    }
    foreach ($_POST as $post_key => $post_value) {
        $$post_key = vdataLITE($_POST[$post_key]);
    }
    foreach ($_COOKIE as $cookie_key => $cookie_value) {
        $$cookie_key = vdataLITE($_COOKIE[$cookie_key]);
    }
    foreach ($_SESSION as $session_key => $session_value) {
        $$session_key = vdataLITE($_SESSION[$session_key]);
    }  

}

CrackFeed.Com · Dec 17, 2010

Actually, it has returned no errors. Actually, if I were to place the foreach statements outside of the function, they'd get called more than once and through errors. Also, how the foreach statements work, if there are for example no cookies set, then no action will be performed and this statement will be skipped entirely.

mark.international

xplaygaming.pro

925774.com

azcash.me

717br.com

turnerandpennell.co.uk

teknowoodsrl.it

prazdniki.me

mostravaltopina.it

du-aa.org

Adding security to reall crappy scripts.

Account Closed

Established Member

Account Closed

Similar threads

We're social

LinksApi.com

OaklawnLocksmith.com

radiaware.com

EuroChess.com

Menns.com

dengle.com

Almega.net

CashFi.co.in

plankpower.com

Sequoyah.org

Pinned

Appreciation

Agreement

Answers

Relevance

Reaction

Status

Feeling