URL checking function returns false? PHP -

-

first of all, not sure @ all, of sql injections, xss attacks etc, occurs via url, using parameters.

so wondered, if clean them , detect if there illegal word, if yes, exit 404 page.

so function:

    private static function cleanpath()     {         if (isset($_get))         {             $count      = 0;             $illegal    = array              (                 '<?', '<?php', '?>', '(', ')',                 '{', '}', 'select', '*', 'from',                 'where', 'select', 'from', 'where',                 'delete', 'delete', 'echo', 'print',                 'html', 'div', 'class', 'function',                 'prepare', 'query', 'execute', 'exec_',                 '_', '++', 'bindvalue', 'static',                 '$'             );              foreach ($illegal $i)             {                 foreach ($_get $key => $value)                 {                     $check = strpos($key, $i);                     if (!$check)                     {                         $count++;                     }                 }             }              if ((int)$count == count($illegal))             {                 return true;             }             else             {                 echo $count . ' array count:' . count($illegal) . '<br />';                 return false;             }         }     }

but seems function doesn't work correctly.

and enter link: ?section=register&sec

it return false.

when enter link: ?section=register&section

it return true, , if enter besides section, return false. why doing that?

as see debugged that, , that's returns:

62 array count:31

so $count = 62 , array count = 31

why go 62? looks doubling counter. did wrong?

going logic, if ok, actual comparison check be:

if ((int)$count == (count($_get) * count($illegal)))

since counter being incremented every parameter every illegal term.

having said that, approach use problem impossible extensive, let alone complete.

it better sanitize inputs , use programming constructs prevent illegal values being processed (as anigel mentioned, whitelisting want), search wrongdoing constructs.


Comments

Post a Comment

Popular posts from this blog

c++ - Creating new partition disk winapi -

-
i'am trying create new partition , mount volume new, thought createfile let me this, code : lpctstr lpfilename=l"\\\\.\\device\\harddisk0\\partition3"; handle handl=createfile( lpfilename, generic_read | generic_write, file_share_read | file_share_write, null, create_always, file_attribute_normal, null ); if (handl==invalid_handle_value) { qdebug()<<"handl invalid"<<" error"<<getlasterror();} bool success = definedosdevice(ddd_raw_target_path,l"i:",l"\\device\\harddisk0\\partition3"); if(!success) qdebug()<<" definedosdevice failed "<<getlasterror(); bflag = getvolumenameforvolumemountpoint( l"i:\\", // input volume mount point or directory /** u in dir
Read more

Android Prevent Bluetooth Pairing Dialog -

-
i'm developing internal application uses bluetooth printing. want bluetooth pairing occur without user input. have managed working trapping android.bluetooth.device.action.pairing_request broadcast. in broadcast receiver call setpin method, , pairing works ok, bluetoothpairingdialog displayed second or two, disappears - see link below. https://github.com/android/platform_packages_apps_settings/blob/master/src/com/android/settings/bluetooth/bluetoothpairingdialog.java since broadcast non-ordered, can't call abortbroadcast() , , wondering if there other way prevent pairing dialog appearing. can hook window manager in way? i haven't been able come way without modifying sdk. if you're oem, it's easy (i'm on 4.3): in packages/apps/settings/androidmanifest.xml, comment intent filter pairing dialog: <activity android:name=".bluetooth.bluetoothpairingdialog" android:label="@string/bluetooth_pairing_request"
Read more

VBA function to include CDATA -

-
i have following function include cdata: function cdatasection() dim objdom domdocument dim objkmlrootelement ikmldomelement dim objkmlelement ikmldomelement dim cdata ikmldomcdatasection set objdom = new domdocument set objkmlrootelement = objdom.createelement("balloonstyle") objdom.appendchild objkmlrootelement set objkmlelement = objdom.createelement("text") objkmlrootelement.appendchild objkmlelement set cdata = objdom.createcdatasection("text") cdata.data = "<![cdata[<b>latitude = $[latitude]</b>?]]>;" end function when run above, getting error "user defined data type not found" function. yes ripster says find library reference. vba window tools>references for list of relevant references see... http://msdn.microsoft.com/en-us/library/windows/desktop/ms763701%28v=vs.85%29.aspx however, if have hard time tracking down reference, replace dim sta
Read more