Nytro Posted June 5, 2008 Report Share Posted June 5, 2008 Daca o folosesc pentru a securiza toate variabilele GET si POST si totul inainte de afisare , se poate trece de ea ? Se poate gasi SQLI , XSS ... ?function secure($ce){ // addslashes Login ByPass $secured=str_replace('"','\"',$ce); $secured=str_replace("'","\'",$secured); // Caractere folosite la SQLI $secured=str_replace("-","& # 45;",$secured); $secured=str_replace("+","& # 43;",$secured); $secured=str_replace(",","& # 44;",$secured); $secured=str_replace(".","& # 46;",$secured); $secured=str_replace("(","& # 40;",$secured); $secured=str_replace(")","& # 41;",$secured); $secured=str_replace("*","& # 42;",$secured); // htmlentities XSS , scripting $secured=str_replace("<","& # 60;",$secured); $secured=str_replace(">","& # 62;",$secured); // Hex : All $secured=str_replace("%22",'\"',$ce); $secured=str_replace("%27","\'",$secured); $secured=str_replace("%2d","& # 45;",$secured); $secured=str_replace("%2b","& # 43;",$secured); $secured=str_replace("%2c","& # 44;",$secured); $secured=str_replace("%2e","& # 46;",$secured); $secured=str_replace("%28","& # 40;",$secured); $secured=str_replace("%29","& # 41;",$secured); $secured=str_replace("%2a","& # 42;",$secured); $secured=str_replace("%3c","& # 60;",$secured); $secured=str_replace("%3e","& # 62;",$secured); return $secured;}Scuzati , am folosit codurile si le-a transformat phpBB in caractere . Functia e fara spatii la coduri ( & # 45 ) . Quote Link to comment Share on other sites More sharing options...
moubik Posted June 5, 2008 Report Share Posted June 5, 2008 uite in genul:http://rstcenter.com/forum/post48108.rst Quote Link to comment Share on other sites More sharing options...
Nytro Posted June 5, 2008 Author Report Share Posted June 5, 2008 uite in genul:http://rstcenter.com/forum/post48108.rstFoarte posibil sa ai probleme : $filterMe = str_replace("#", "#", $filterMe); $filterMe = str_replace("&", "&", $filterMe); Ai incercat functia ? un ##&& ar trebui sa fie : &_#35 &_#35 &_#38 &_#38Dar dupa ce va inlocui primul # cu &_#35 il va inlocui apoi pe al doilea , cel din &_#35 etc. Cred . Oricum vei avea probleme . Scuze nu am stiut de postul tau .Si ai uitat ; Quote Link to comment Share on other sites More sharing options...
moubik Posted June 5, 2008 Report Share Posted June 5, 2008 da, aceasta versiune de functie e la prima varianta acolocred ca in mod corect modificarile se fac altfel, si in acelasi timp.deci pe tot string-ul o data Quote Link to comment Share on other sites More sharing options...
