Security practices on creating modifications

Neorics · September 22, 2007, 09:25:03 AM

so correct me if i'm wrong but this tip is only for mod writers? i mean does SMF have this feature already in it's system?

cause i'm planning to customize the 'edit profile' page to restrict certain fields to be able to be viewed/edited by certain member groups and i'll be using if($context statemets

so is it safe to do that?

karlbenson · September 22, 2007, 05:27:06 PM

any fields you add where users can enter information need

-sanitising (eg casting as integer or removing bad characters)
-validating (eg if it was a youtube id, you would validate to check its a-zA-Z0-9- in a preg_match)
-escaping (if being inserted in the database) addslashes___resursive($data);

Neorics · September 23, 2007, 03:11:16 AM

Quote from: karlbenson on September 22, 2007, 05:27:06 PM
any fields you add where users can enter information need

-sanitising (eg casting as integer or removing bad characters)
-validating (eg if it was a youtube id, you would validate to check its a-zA-Z0-9- in a preg_match)
-escaping (if being inserted in the database) addslashes___resursive($data);

ok... i'm totally lost... can you point me to a direction where i can read how to do those you mentioned?

karlbenson · September 23, 2007, 08:30:51 AM

Well there isn't any specific smf code functions for doing the above.

You will need to use functions like preg_match, eregi, preg_replace with regex strings.

Santiizing eg if you've got an integer you can make sure its an integer
$string = (int) $string;

If it wasn't a number, it will be 0.

You'll find lots of examples of validating/santizing in mods.
Eg my youtube mod checks if the data being parsed is a valid youtube id (a-zA-Z0-9-)

if (preg_match(\'#^([0-9A-Za-z-_]{11})#i\', trim($data[0]), $matches)) {

More info
http://uk3.php.net/preg_match
http://uk3.php.net/preg_replace

Neorics · September 23, 2007, 09:32:54 AM

thanks, omg i didnt realize that SMF have a google ad at the bottom... just saw it after opening it in IE...

White Girl · March 09, 2008, 08:57:46 AM

Thank you for it

BuЯЯЯЯaK · March 09, 2008, 06:05:01 PM

Great post thx harzem

Informatics · March 11, 2008, 02:34:41 AM

wow... cool, thanx for posting.
Modders have to read this

Kader · March 11, 2008, 05:52:54 AM

Hi all

Can somebody shed some light on how:
db_query()

can replace:

$link = mysql_connect('host', 'root', 'password')
or die('Could not connect: ' . mysql_error());

This is to avoid having the password hanging around in a file.

Thanx all

metallica48423 · March 14, 2008, 05:48:49 PM

have you looked at the function DB entry for db_query?

db_query will use the SMF connection to make the query in the first parameter of it. The second and third parameter should be __FILE__ and __LINE__

ie:

Code Select


$id = db_query("
    SELECT ID_MEMBER
    FROM smf_members
    WHERE realName = 'metallica48423'", __FILE__, __LINE__);

will store the result of the query in $id

Sami Ekici · May 26, 2008, 06:17:21 PM

teşekkürler Harzem Bey

Sarge · July 05, 2008, 06:44:40 AM

Quote from: SA(^_^)Mi on May 26, 2008, 06:17:21 PM
teşekkürler Harzem Bey

SA(^_^)Mi, this is an English language board. The Turkish language board is located at: Türkçe (Turkish)

But I understand that you are saying "Thank you, Mr. Harzem"

Sami Ekici · July 29, 2008, 06:32:01 AM

Quote from: Sarge on July 05, 2008, 06:44:40 AM
Quote from: SA(^_^)Mi on May 26, 2008, 06:17:21 PM
teşekkürler Harzem Bey

SA(^_^)Mi, this is an English language board. The Turkish language board is located at: Türkçe (Turkish)

But I understand that you are saying "Thank you, Mr. Harzem"

Thats Oky. I'm Sorry..

News:

Security practices on creating modifications