The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
05-16-2011, 12:01 PM
|
||||
|
||||
Sanitizing cookies?
Does vB have a built in function/class to sanitize cookies before storing to database?
Example: Code:
$userdata->set('userVar', $_COOKIE[COOKIE_PREFIX . 'userVar']);
|
|
#2
05-16-2011, 12:10 PM
|
||||
|
||||
|
you have to sanitize it by yourself.
If it's a number, you can simply use: PHP Code:
|
|
#3
05-16-2011, 12:34 PM
|
||||
|
||||
|
Thanks Disasterpiece
 I've while waiting for a reply been searching about. Being that cookies can be manipulated (regardless of what I originally set them to) I want to make sure I'm not open to any MySQL injections. If I'm reading things right, the following should work? PHP Code:
--------------- Added [DATE]1305554055[/DATE] at [TIME]1305554055[/TIME] --------------- Or maybe: PHP Code:
|
|
#4
05-16-2011, 01:36 PM
|
|||
|
|||
|
I think the first code you had was fine, because the data manager escapes the string before including it in a query. In fact it looks like it also calls clean() on it, so you probably wouldn't even have to do that.
I think you still should consider what you do wth the string when you get it back from the database, because although it was escaped to make it safe in a query, it hasn't necessarily been made safe for any purpose.
|
|
#5
05-16-2011, 05:26 PM
|
||||
|
||||
|
As long as you put it only into a query, it's fine because the only danger you have with a string in a query are control chars and quotes.
However, don't ever put this poorly sanitized string into an eval, otherwise you get hacked. Because then there is much more sanitizing necessary than only for queries. open the includes/class_core.php search for the gpc class and see for yourself what gets masked and how the string gets sanitized so that you KNOW what happens.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 01:32 PM.