Urgent help please (Experts)

[Zubair1]

Hello,
I need help on a security filter script / access logging.
A script that will filter all incomming $_POST and $_GET data. Check every variable for data manipulation, cross site scripting vulnerabilities, sql injection and all standard php vulnerabilities.
Script should output original $_POST and $_GET arrays with malicious characters/code removed or replaced by it's equivalent. The script should not die() or exit(). If malicious code found, issue javascript alert and redirect to page where it came from, notify admin via email. Also, create an array for variables which shouldn't be processed by the script which can be passed to the script in terms of global variables.
This script will be included in files.
It has to contain routine for access logging. IP,DATE,TIME,REFERRER,URI_STRING,QUERY_STRING,GET,POST,
SESSION data. Storing --- DB. Design DB table for it.

Please help or make a sort of script and i can give the person
points about 100 $NP or maybe even 200 $NP

Would really appreicate any help


Regards,

 

[aznchong91]

well, here's a simple script to screen the incoming $_POST and $_GET variables, I don't know what else you need:

<?php 
foreach($_GET as $key=>$value) {
	$_GET[$key] = addslashes(trim(htmlspecialchars($value)));
}
foreach($_POST as $key=>$value) {
	$_POST[$key] = addslashes(trim(htmlspecialchars($value)));
}
?>

 

[user-7256]

SQL Injection Prevention, basic:

mysql_real_escape_string($variable);

 

[nick-8318]

i think hes asking how to CHECK if somone is trying to "hack"

not prevent it

 

[Zubair1]

i think hes asking how to CHECK if somone is trying to "hack"

not prevent it

no i am not needing it to hack,
i need it to secure my script it will be included in the files
I need a script to check for incoming data by GET & POST super globals
and check for every variable data manuplation, cross site scripting vunerabilities, sql injections and all the other standard php vunerabilities.

the script should output the variables removing all the malicous stuff from it
or replacing it with its equalvent.

Also, create an array for variables in the script which shouldn't be processed by the script which can be passed to the script in terms of global variables.

Would really appreicate some one can do this for me

Regards,

 

[aznchong91]

well, to do the first part of what you wanted, just use the code I posted earlier. Somebody else that knows how can add the rest you need, because I don't.

 

[Zubair1]

well, to do the first part of what you wanted, just use the code I posted earlier. Somebody else that knows how can add the rest you need, because I don't.

ok thanks aznchong91
i am donating some $np's to your account.....really appreicate the help

can anyone else complete this?

Regards,

 

[idreaminhex]

The first object of good script design is to only handle what you expect. If your script creates / processes a form. Then you know what to expect. The second object of good script design is to CAST name value pairs so they only contain what they should. People spend to much time on testing variables when they should auto CAST them so they don't need to worry about them during the rest of the script process!


So what I am saying...

If it by POST then use POST, if it's by GET use GET, if a value is INT, cast as INT, if a value is a STR, NO HTML, then strip it so it only contains what you want it to. If it's a STR, HTML then encode it. If a element is missing then create it. After unset() all the SUPER GLOBALS to maintain smart memory usage and continue with the script process!

You can create a simple 7 or 8 line function to do this, it will save you much time but more importantly it will make your scripts faster and much easier to manage!

John