What do you think? - Printable Version

What do you think? - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: Other (https://sampforum.blast.hk/forumdisplay.php?fid=7)
+--- Forum: Everything and Nothing (https://sampforum.blast.hk/forumdisplay.php?fid=23)
+--- Thread: What do you think? (/showthread.php?tid=356736)

What do you think? - next-studio|TheKiller - 04.07.2012

Well, i have started with a small project, creating a small class which allow the user control a mysql database(on php) with less commands and on a secured system.
I had this idea, because alot of users on this forum are victims of sql injection on php(the people who do not know)
So i've thinked to create a php class, which allow you to manage the mysql normally, but on other type.

For example, you want to connect into the mysql database, we need to do:

PHP код:



$db = mysql_connect($host, $user, $pass);

mysql_select_db($database, $db);

With this script, you just need to do:

PHP код:



require "mysql_class.php";

$mysql = new mysql($host, $user, $pass, $database);

For example, to login a user, you need to login a user
The normal script requires:

PHP код:



$db = mysql_connect($host, $user, $pass);

mysql_select_db($database, $db);

$user = mysql_real_escape_string($variableuser);

$pass = mysql_real_escape_string($variablepass);

$login = mysql_query("SELECT * from users WHERE username = '$user' AND pass = '$pass'", $db);

if(mysql_num_rows($login) == 1)

{

    //continue the login

}

else {

    // show the error message

}

With this class, you just need to do:

PHP код:



require "mysql_class.php";

$mysql = new mysql($host, $user, $pass, $database);

$login = $mysql->query("SELECT * FROM users WHERE username = '$user' AND pass = '$pass'");

if($mysql->NumRows($login) == 1)

{

    // login the user

}

else {

    // error message

}

You don't need to use the mysql_real_escape_string, since the moment the query will take the $variables and escape them.
This will totally speed up some scripts, with less lines of scripting.
This is more likely a "anti cheat" system, and "hack" at the same time, anti cheat system, because it protects the sql injections, and a hack, because you need to script less, for more.

I would like to know what do you think about this, because i really don't want to be scripting the hole week + weekend to have this class done.

Thanks!

Re: What do you think? - Jstylezzz - 04.07.2012

Nice work, I think this is a safe way to do everything, and coding will go faster..
If you use this system in all panels and things you make, it will be very safe

Nice work

Re: What do you think? - ca2k - 05.07.2012

Yeah, totally. Just do it properly.

Here's something to start with:

PHP код:



    //#^^ Input Cleaning Function ^^#//

    /*

        Cleans raw input, if link id 

        is supplied the data will be

        prepped for DB entry, if Save

        option is set to true HTML will

        be converted rather than removed.

        

        ACCEPTS: [VALUE] = string, [LINK] = db connection id, [SAVE] = bool

        RETURNS: Clean user input

    */

    private function Sanitize($value, $link = null, $save = false)

    {

        //TempDataHolder

        $tempvar = null;

        

        //If sending to a DB clean up for query

        if($link != null)

        {

            if($save)

            {

                //Convert tags to ANCII CODE

                $tempvar = htmlentities($value, ENT_QUOTES);

                $value = $tempvar;

                

                //Strip anything remaining

                $tempvar = strip_tags($value);

                $value = $tempvar;

            }

            else

            {

                //Strip code tags out

                $tempvar = strip_tags($value);

                $value = $tempvar;

                

                //Convert Remaining special chars

                $tempvar = htmlentities($value, ENT_QUOTES);

                $value = $tempvar;

            }

            

            //PHP manual highly recommends this function

            //for any value being entered into a database

            $tempvar = mysql_real_escape_string($value, $link);

            $value = $tempvar;

        }

        else

        {

            //Strip code tags out

            $tempvar = strip_tags($value);

            $value = $tempvar;

            

            //Convert Remaining special chars

            $tempvar = htmlentities($value, ENT_QUOTES);

            $value = $tempvar;

        }        

        RETURN $value;

    }

There's some other basic stuff that people shouldnt forget, for example .htaccess file. I forgot it once and someone gained access by simply checking the config, thank god I had different password for FTP and the project was in beta stages.

Re: What do you think? - next-studio|TheKiller - 05.07.2012

Quote:

Originally Posted by ca2k

Yeah, totally. Just do it properly.

Here's something to start with:

PHP код:



    //#^^ Input Cleaning Function ^^#//

    /*

        Cleans raw input, if link id 

        is supplied the data will be

        prepped for DB entry, if Save

        option is set to true HTML will

        be converted rather than removed.

        

        ACCEPTS: [VALUE] = string, [LINK] = db connection id, [SAVE] = bool

        RETURNS: Clean user input

    */

    private function Sanitize($value, $link = null, $save = false)

    {

        //TempDataHolder

        $tempvar = null;

        

        //If sending to a DB clean up for query

        if($link != null)

        {

            if($save)

            {

                //Convert tags to ANCII CODE

                $tempvar = htmlentities($value, ENT_QUOTES);

                $value = $tempvar;

                

                //Strip anything remaining

                $tempvar = strip_tags($value);

                $value = $tempvar;

            }

            else

            {

                //Strip code tags out

                $tempvar = strip_tags($value);

                $value = $tempvar;

                

                //Convert Remaining special chars

                $tempvar = htmlentities($value, ENT_QUOTES);

                $value = $tempvar;

            }

            

            //PHP manual highly recommends this function

            //for any value being entered into a database

            $tempvar = mysql_real_escape_string($value, $link);

            $value = $tempvar;

        }

        else

        {

            //Strip code tags out

            $tempvar = strip_tags($value);

            $value = $tempvar;

            

            //Convert Remaining special chars

            $tempvar = htmlentities($value, ENT_QUOTES);

            $value = $tempvar;

        }        

        RETURN $value;

    }

I should use this function and edit it a little bit to be compatible with the system by himself.
Well thanks for the tip ^^,
And i've been doing the escape system on the function, i'll create a private, which offers more security of the code, all code is escaped before being inserted on the mysql database.
Anyways, thanks for the people who's supporting this "system"!