The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Create Secure Mods
In this post we'll go over some basic modification vulnerabilities and how to prevent them. Preparing Data Whenever you accept input from a user, you must understand that you have no control over what is entered, period. The short version is that anything client-side can be manipulated. Even if you use Javascript or HTML limitations, they can all easily be avoided. This input includes but is not limited to:
Use the vBulletin Input Cleaner! I'm going to assume you know how to use it, even though sometimes you choose not to use it. If not, dig up a tutorial on it. A common example is fetching a row from a table using an ID in the query string. I often see this: PHP Code:
Here is what you should use... PHP Code:
PHP Code:
HTML Code:
<select name="meal"> <option value="1">Breakfast</option> <option value="2">Lunch</option> <option value="3">Dinner</option> </select> PHP Code:
PHP Code:
Point: ensure the data you expect is what you expect. If it's not, do not let them continue. False data can do a number of things of varying damage:
What is SQL injection? It's when your script does not properly clean user input, and they can actually manipulate the query using the input value. Example, A script to update a user's email address. Here is the query: Code:
UPDATE user SET email = '$value' WHERE userid = 1; Code:
my@email.com', username = 'HAHA', password = ''# Code:
UPDATE user SET email = 'my@email.com', username = 'HAHA', password = ''#' WHERE userid = 1; Code:
UPDATE user SET email = 'my@email.com', username = 'HAHA', password = '';
Preventing Injection It is very easy to prevent injection. Generally, users either input text (string) or a number (int/float). For the latter, they should already be safe assuming you used the input cleaner as suggested. For strings, however, you must use the $db->escape_string() function. What does this do? In a standard MySQL setup, it's just a wrapper for mysql_real_escape_string which in simpliest terms, prepends a backslash to any characters which may alter query. Remember to use $db->escape_string() instead of the actual function, because not every board runs MySQL! Automation I highly recommend using a function to generate queries. This is how the datamanager works, and also many of my own private hacks. How does this make it more secure? - by not relying on the coder to escape it. If you do so, you can wrap each value in the $db->sql_prepare() function, which makes it SQL safe. Here is what the function does to...
XSS (Cross Site Scripting) Cross site scripting is when a user injects HTML into any text that he posts, and in that HTML uses Javascript to communicate with his own server. What can this do? He can steal your cookie information and take over your online identity. Imagine someone doing this to an administrative account. Uh oh! Like SQL injection, XSS is actually very easy to prevent. You have two options: 1) Use TYPE_NOHTML instead of TYPE_STR when accepting string input.This has a few (minor) downsides. If you want to allow searching, or for any other reason want to retain the exact information the user enters. The alternative, is 2) Clean it using htmlspecialchars_uni() when displaying the text. This is where it gets tricky. If you display it all over the place, it can be difficult to remember to clean it every time. So what does this do exactly? Any HTML characters, such as "<", ">", and "&" are parsed as HTML, so if you convert them to their entity form ("<", ">", "&", the browser knows to display that character, and not parse it as HTML. Now it is impossible for any hackers to inject HTML into your site. Summary
You may not copy this article without my permission. |
#32
|
||||
|
||||
Good article, AJ. Congrats.
|
#33
|
|||
|
|||
Excellent article, thanks for writing it.
|
#34
|
|||
|
|||
PHP Code:
I've seen some code has 'r' or 'p'? |
#35
|
|||
|
|||
They are the some of the super globals:
g = $_GET, p = $_POST, r = $_REQUEST, and also c = $_COOKIE. The above are all valid and alters what content the cleanser sanitizes. More information can be found in the PHP manual: http://us.php.net/variables.predefined |
#36
|
||||
|
||||
vB doesn't seem to use htmlspecialchars_uni when displaying the fields it uses htmlspecialchars_uni only during the update/insert of the TYPE_STR fields, so if we do that we are on the safe side right ?
I am asking cause some of the opinions in this thread really messed up with mine :erm: 1. Use the vBulletin Input Cleaner! 2. Use the htmlspecialchars_uni to clean the TYPE_STR vars from the vBulletin Input Cleaner 3. Use the $db->escape_string() to insert/update/replace values If you use again the htmlspecialchars_uni during display or in the inputs things get ugly. The only exception in this rule is the text columns that you might want to use html instead of bbcode. In this case you don't use htmlspecialchars_uni to clean the $vbulletin->GPC['message'] but you use the htmlspecialchars_uni during the edit on the textarea. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|