• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

How to be safe?

Dankoo

Dankoo

Active Member
Joined
Sep 4, 2010
Messages
1,007
Reaction score
27
So, I've seen that a serious security update was made on rev 242, and the changes are:

system/security.php OLD

Lua: 
<?php 
function escape($data) {
	return addslashes(str_replace(chr(0xbf).chr(0x27), '', $data ));
}

foreach($_POST as $key=>$value) {
	$_POST[$key.'Original'] = $value;
	$_POST[$key] = escape($value);
}
if($config['engine']['enable_query_strings']) {
	foreach($_GET as $key=>$value) {
		$_GET[$key.'Original'] = $value;
		$_GET[$key] = escape($value);
	}
	$_REQUEST = array_merge($_GET, $_POST);
} else {
	$_REQUEST = $_POST;
}


?>

system/security.php NEW

Lua: 
<?php 

function __sql_regcase($string){
        $max = strlen($string);
        $ret = '';
        for ($i = 0; $i < $max; $i++) {
                $char   = substr($string,$i,1);
                $up     = strtoupper($char);
                $low    = strtolower($char);
                $ret    .=($up != $low) ? '[' . $up . $low . ']' : $char;
        }
        
        return $ret;
} 
function escape($data) {
        $data = preg_replace(__sql_regcase("/(from|select|insert|delete|where|drop table|show tables|

#|\*|--|\\\\)/"),"", $data);
        return $data;
}

foreach($_POST as $key=>$value) {
        // What IDIOT wrote it like this???     
        //$_POST[$key] = escape($value);
        $_POST[$key] = addslashes(escape($value));
}
if($config['engine']['enable_query_strings']) {
        foreach($_GET as $key=>$value) {
                $_GET[$key] = escape($value);
        }
        $_REQUEST = array_merge($_GET, $_POST);
} else {
        $_REQUEST = $_POST;
}


?>

I can't just replace it without bugs, like when creating a news:

A PHP Error was encountered

Severity: Notice

Message: Undefined index: bodyOriginal

Filename: controllers/admin.php

Line Number: 61

A PHP Error was encountered

Severity: Notice

Message: Undefined index: titleOriginal

Filename: controllers/admin.php

Line Number: 62

A Database Error Occurred
Error Number: 1048

Column 'body' cannot be null

INSERT INTO `news` (`time`, `id`, `body`, `title`) VALUES (1290470828, '', NULL, NULL)
Click to expand...

When I use the old one, no bugs... I want to use the safer version, what should I change? Thx :peace::peace::peace::peace::peace:
 
PHP: 
<?php 
 
function __sql_regcase($string){
        $max = strlen($string);
        $ret = '';
        for ($i = 0; $i < $max; $i++) {
                $char   = substr($string,$i,1);
                $up     = strtoupper($char);
                $low    = strtolower($char);
                $ret    .=($up != $low) ? '[' . $up . $low . ']' : $char;
        }
 
        return $ret;
} 
function escape($data) {
        $data = preg_replace(__sql_regcase("/(from|select|insert|delete|where|drop table|show tables|
 
#|\*|--|\\\\)/"),"", $data);
        return $data;
}
 
foreach($_POST as $key=>$value) {
        // What IDIOT wrote it like this???     
        //$_POST[$key] = escape($value);
        $_POST[$key] = addslashes(escape($value));
$_POST[$key.'Original'] = $value;
}
if($config['engine']['enable_query_strings']) {
        foreach($_GET as $key=>$value) {
                $_GET[$key] = escape($value);
        }
        $_REQUEST = array_merge($_GET, $_POST);
} else {
        $_REQUEST = $_POST;
}
 
 
?>
 

Similar threads

ralke
  • Question
AAC Paypal automatic payments doesn't load points on ZnoteAAC
Replies
4
Views
798
ralke
ralke
J
  • Question
Myacc tfs1.5 shop problem
Replies
8
Views
505
tobi132
T
johnsamir
  • Question
how to solve these errors that has appeared in my database
Replies
2
Views
678
johnsamir
johnsamir
ralke
  • Question
AAC ZnoteAAC show killing assists at characterprofile deathlist
Replies
0
Views
219
ralke
ralke
Back
Top