Generic Application Form

[JPDeni]

You might want to take a look at /Sources/Post.php, function createPost to see how SMF deals with security.

[Freddy]

There's an SMF function I use to clean up passed variables; you might want to take a look at that too :

cleanRequest...

Really whenever you insert data to the DB you want to be using that.

Also it's a good idea to check the session before you do anything too :

checkSession...

If you are worried by HTML being inserted you can use this PHP function :

strip_tags...

There's probably a whole host of other solutions too - I would try Google and see what methods other people suggest to protect from SQL injection.

[IchBin]

If you're using SMF's db functions everything is already cleaned for you.

[ed_m2]

thanks.. i'll do some digging.

http://www.simplemachines.org/community/index.php?topic=119652.0
and
http://www.smfmods.org/wiki/Security_practices

are my intitial hits.

i've yet to see any info on whether db_query input is cleaned or not.

[Freddy]

i've yet to see any info on whether db_query input is cleaned or not.

I'm not sure either, but I don't doubt IchBin.  I use it because in the SMF Coding Guidelines it says use it - though docs often go out of date, though maybe they mean for regular db queries rather than the SMF function.

You can take a look for yourself :

http://www.simplemachines.org/community/index.php?topic=159824.0

There's also the practice of casting number to integers too, which is mentioned in the docs.

[JPDeni]

ed_m, this is code from db_query:

Code Select Expand


// First, we clean strings out of the query, reduce whitespace, lowercase, and trim - so we can check it over.
if (empty($modSettings['disableQueryCheck']))
{
$clean = '';
$old_pos = 0;
$pos = -1;
while (true)
{
$pos = strpos($db_string, '\'', $pos + 1);
if ($pos === false)
break;
$clean .= substr($db_string, $old_pos, $pos - $old_pos);

while (true)
{
$pos1 = strpos($db_string, '\'', $pos + 1);
$pos2 = strpos($db_string, '\\', $pos + 1);
if ($pos1 === false)
break;
elseif ($pos2 == false || $pos2 > $pos1)
{
$pos = $pos1;
break;
}

$pos = $pos2 + 1;
}
$clean .= ' %s ';

$old_pos = $pos + 1;
}
$clean .= substr($db_string, $old_pos);
$clean = trim(strtolower(preg_replace(array('~\s+~s', '~/\*!40001 SQL_NO_CACHE \*/~', '~/\*!40000 USE INDEX \([A-Za-z\_]+?\) \*/~'), array(' ', '', ''), $clean)));

// We don't use UNION in SMF, at least so far.  But it's useful for injections.
if (strpos($clean, 'union') !== false && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0)
$fail = true;
// Comments?  We don't use comments in our queries, we leave 'em outside!
elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== false || strpos($clean, ';') !== false)
$fail = true;
// Trying to change passwords, slow us down, or something?
elseif (strpos($clean, 'sleep') !== false && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0)
$fail = true;
elseif (strpos($clean, 'benchmark') !== false && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0)
$fail = true;
// Sub selects?  We don't use those either.
elseif (preg_match('~\([^)]*?select~s', $clean) != 0)
$fail = true;

if (!empty($fail))
{
log_error('Hacking attempt...' . "\n" . $db_string, $file, $line);
fatal_error('Hacking attempt...', false);
}
}


Looks like there's checking there.

[EasyRider]

Hi Deni !  


Is possible to add a simple date picker in some field..? for example like this one:




or something more simple.. 



I add the code in zip attachment !

[JPDeni]

I wouldn't know how to do it, I'm afraid. This is way beyond the capability of my simple form.

[EasyRider]

No problem deni ! I knew it was very difficult..

But you already  done so many things about.. !

Anwy,  thank you  dear !! 

[chevman74]

Noted