Brain Goo » php

Quick Character Escaping in PHP

admin — Wed, 10 Oct 2007 17:48:14 +0000

When writing PHP web apps, I tend to run in to a portability issue when dealing with SQL connectivity. Since I can’t count on having the PEAR DB module available, I rolled my own set of functions to interact with a MySQL database.

The problem lies in escaping characters in your SQL queries. Do I addslashes()? Is magic_quotes_gpc enabled?

My quick-and-dirty solution is the following function:

function request_cleanup() { if(get_magic_quotes_gpc() == 0) { foreach($_REQUEST as $req_key => $req_value) { $_REQUEST[$req_key]=addslashes($_REQUEST[$req_key]); } } }

By calling that function on every page that deals with inserting content in to the database, I know will will get my content escaped correctly.

Of course it escapes all submitted content, including that which isn’t going in to the database so don’t forget to stripslashes() when you are working with data that doesn’t need it.

Example:
request_cleanup();


$notes = $_REQUEST['notes '];

$confirmation = stripslashes($_REQUEST['notes ']);
$SQL = "INSERT INTO notes (note) VALUES ('$notes')";

sql_proc($SQL);

print "Your note was: $confirmation";

Stop spam-bots in PHPBB 2.x. Cheap, easy BOT stopper

admin — Tue, 05 Jun 2007 22:21:05 +0000

WARNING! As of this writing, this information pertains to the 2.x branch of phpBB. I strongly recommend you upgrade to the latest phpBB. As of April 28, 2009 that version is 3.0.4. Please see http://phpbb.com

NOTICE: I have an updated phpBB patch for the 3.0.x version of phpBB. Please search this blog for phpBB or look at the phpbb category for more tips and tricks.

In your active template file profile_add_body.tpl find the line:

ABOVE that line, add:


   
      Are you a robot? *
       Bot buster... choose the right one.

In your forum file includes/usercp_register.php find this section of code:

   else if ( $mode == 'register' )
   {
      if ( empty($username) || empty($new_password) || empty($password_confirm) || empty($email) )
      {
         $error = TRUE;
         $error_msg .= ( ( isset($error_msg) ) ? '
' : '' ) . $lang['Fields_empty'];
      }

AFTER that part, add this:

// BOT HACK
         if ( empty($HTTP_POST_VARS['imarobot']) )
         {
            die('NO BOTS');
         }
         else
         {
            if ($HTTP_POST_VARS['imarobot'] != 'nope')
            {
               die('NO BOTS');
            }
         }
// BOT HACK

And there you go.

PHP Header injection

admin — Mon, 21 May 2007 17:43:50 +0000

I regularly shut down web sites that use the PHP mail() function. While the users of the sites mean well, they generally don’t do any checking before sending data to mail(). I’m not going to weigh in mail(). Enough has been said about it. Just remember to take your code and code security seriously.

Remember, never trust data submitted by site visitors. Sanitize the heck out of it.

Jelly and Custard has an excellent explanation of PHP Header Injection when using the PHP mail() function.

http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/

http://www.jellyandcustard.com is an excellent PHP blog.