vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Sanitizing cookies? (https://vborg.vbsupport.ru/showthread.php?t=263716)

woostar 05-16-2011 12:01 PM
Sanitizing cookies?
 
Does vB have a built in function/class to sanitize cookies before storing to database?

Example:
Code:
$userdata->set('userVar', $_COOKIE[COOKIE_PREFIX . 'userVar']);
Or does $userdata->set do that?

Disasterpiece 05-16-2011 12:10 PM
you have to sanitize it by yourself.

If it's a number, you can simply use:
PHP Code:
$userdata->set('userVar', (int)$_COOKIE[COOKIE_PREFIX 'userVar']); 
otherwise I suggest to either replace malicious strings or (better) use a strict regex to check that it only contains values that you expect.

woostar 05-16-2011 12:34 PM
Thanks Disasterpiece :)

I've while waiting for a reply been searching about.

Being that cookies can be manipulated (regardless of what I originally set them to) I want to make sure I'm not open to any MySQL injections.

If I'm reading things right, the following should work?
PHP Code:
$vbulletin->input->clean_gpc('c'COOKIE_PREFIX 'userVar'TYPE_STR); 
$userdata->set('userVar'$vbulletin->GPC[COOKIE_PREFIX 'userVar']); 
Right?

--------------- Added [DATE]1305554055[/DATE] at [TIME]1305554055[/TIME] ---------------

Or maybe:
PHP Code:
$userVar $db->escape_string(trim($userVar));
$userdata->set('userVar'$userVar); 
?

kh99 05-16-2011 01:36 PM
I think the first code you had was fine, because the data manager escapes the string before including it in a query. In fact it looks like it also calls clean() on it, so you probably wouldn't even have to do that.

I think you still should consider what you do wth the string when you get it back from the database, because although it was escaped to make it safe in a query, it hasn't necessarily been made safe for any purpose.

Disasterpiece 05-16-2011 05:26 PM
As long as you put it only into a query, it's fine because the only danger you have with a string in a query are control chars and quotes.
However, don't ever put this poorly sanitized string into an eval, otherwise you get hacked. Because then there is much more sanitizing necessary than only for queries.

open the includes/class_core.php search for the gpc class and see for yourself what gets masked and how the string gets sanitized so that you KNOW what happens.


All times are GMT. The time now is 05:27 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01105 seconds
  • Memory Usage 1,722KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (3)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete