vb.org Archive
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Create Secure Mods (https://vborg.vbsupport.ru/showthread.php?t=154411)

mihai11 08-07-2007 02:33 PM
Quote:
Originally Posted by Andreas (Post 1311962)
Addition: Use fetch_query_sql() whenever it makes sense.
This looks like a function for reading from the database. I assume that once the data is there, it can be trusted. Does this function has any security implications ? (after all, this is the theme of this article)

Andreas 08-07-2007 02:41 PM
Quote:
I assume that once the data is there, it can be trusted.
Wrong assumption.

Example: A post that contains
Quote:
<script type="text/javascript">
alert('XSS!');
</script>
Now, if you parse this text or run htmlspecialchars_uni() on it you are safe.
However, if you just read pagetext from table post and output it, then you just created an XSS issue.

Quote:
Originally Posted by vBulletin functions.php
PHP Code:
/**
* Returns an UPDATE or INSERT query string for use in big queries with loads of fields...
*
* @param    array    Array of fieldname = value pairs - array('userid' => 21, 'username' => 'John Doe')
* @param    string    Name of the table into which the data should be saved
* @param    string    SQL condition to add to the query string
* @param    array    Array of field names that should be ignored from the $queryvalues array
*
* @return    string
*/ 
As you can see, it runs escape_string() automatically

Adrian Schneider 08-08-2007 12:20 AM
fetch_query_sql() was what I meant by automation, thouh I actually use my own function that combines the $db->query_write() call and the fetch_query_sql.

Thanks for pointing that out - I'll add it in later.

mihai11 08-08-2007 02:02 AM
Quote:
Originally Posted by Andreas (Post 1311973)
Wrong assumption.

Example: A post that contains

Now, if you parse this text or run htmlspecialchars_uni() on it you are safe.
However, if you just read pagetext from table post and output it, then you just created an XSS issue.


As you can see, it runs escape_string() automatically
But you should escape data *before* entering the database. You should make sure that whatever enters the database is clean. The reason is that usually the data is put into the database once and read many times thus it is better to do all validations when putting the data into the database and not when reading it.

Adrian Schneider 08-08-2007 02:14 AM
XSS and SQL injection are two different vulnerabilities.

Escaping it will avoid injection, but the XSS threat still remains unless you TYPE_NOHTML or htmlspecialchars_uni() before displaying it.

mihai11 08-08-2007 02:18 AM
Quote:
Originally Posted by SirAdrian (Post 1312381)
XSS and SQL injection are two different vulnerabilities.

Escaping it will avoid injection, but the XSS threat still remains unless you TYPE_NOHTML or htmlspecialchars_uni() before displaying it.
But what if I run "htmlspecialchars_uni()" before putting the data in the database ?

Adrian Schneider 08-08-2007 02:19 AM
That's fine, then.

Antivirus 08-11-2007 11:02 PM
very helpful SirAdrian, thank you. So it seems as if it should be a standard practive to use $db->sql_prepare() as opposed to $db->escape_string() since the former seems to do a bit more "cleaning" of the user input. Are there any instances where this might not be the case? I ask this because I tend to see $db->escape_string() more frequently than $db->sql_prepare() in vb code (default and mods). Or is one no better than the other?

Adrian Schneider 08-11-2007 11:32 PM
They do different things.

sql_prepare basically checks the data type, and adds quotes/escapes it if necessary. escape_string just escapes it.

EnIgMa1234 08-11-2007 11:57 PM
Why is it neccessary to clean admincp code?


All times are GMT. The time now is 12:34 PM.
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01794 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete