i want to prevent my plugin from accessing via hacking or anything like this?
what kind of security is best for mybb?
my plugin have some post method, sql queries to update and insert data and more...
Quote:what kind of security is best for mybb?
Security is a process, not a product.
Post your code so we can see what you've done right and what you've done wrong.
(2017-04-28, 10:49 AM)Nathan Malcolm Wrote: [ -> ]Quote:what kind of security is best for mybb?
Security is a process, not a product.
Post your code so we can see what you've done right and what you've done wrong.
this is one part of my plugin
function rsar_usercp_dailybonus(){
global $db, $footer, $header, $navigation, $headerinclude, $themes, $mybb, $templates, $usercpnav,$lang;
if($mybb->input['action'] != "dailybonus")
return;
if($mybb->settings['newpoints_advancereferrals_enable']!=1)
return;
if(!$mybb->settings['newpoints_advancereferrals_dailybonus'])
return;
if(!$mybb->settings['newpoints_advancereferrals_dailybonus_intval']){
$intval = 24;
}else{
$intval = intval($mybb->settings['newpoints_advancereferrals_dailybonus_intval']);
}
newpoints_lang_load('newpoints_advancereferrals');
// add breadcrumb
add_breadcrumb($lang->advancereferrals_dailybonus, 'ucp.php?action=dailybonus');
$bonus = rs_ar_checkbonus("dailybonus",$intval);
$html = $mybb->settings['newpoints_advancereferrals_dailybonus_html'];
$title = $lang->advancereferrals_dailybonus;
$subtitle = $lang->advancereferrals_dailybonus_subheading;
$info = sprintf($lang->advancereferrals_dailybonus_info,$mybb->settings['newpoints_main_curprefix'].$mybb->settings['newpoints_advancereferrals_dailybonus'].$mybb->settings['newpoints_main_cursuffix'],$mybb->settings['newpoints_advancereferrals_dailybonus_intval']);
// if $bonus is false then prepare button for bonus
if(!$bonus){
$submitbutton = '<form action="?action=dailybonus" method="post" id="rs_dailybonus" >';
//prepare button
if($mybb->settings['newpoints_advancereferrals_dailybonus_time']>0){
$submitbutton = '<form id="rs_dailybonus" action="?action=dailybonus" method="post" onsubmit="rs_countdown('.$mybb->settings['newpoints_advancereferrals_dailybonus_time'].',\'dailybonus\',this.id);return false;">';
$submitbutton .= '<input type="hidden" name="dailybonus" value="submit"/>';
$submitbutton .= '<input type="submit" value="'.$lang->advancereferrals_bonus_submitbutton.'" id="dailybonus"/>';
$submitbutton .= '
<script type="text/javascript">
function rs_countdown(s,id,fid){
var timeleft = s;
document.getElementById(id).disabled=true;
document.getElementById(id).value = "'.sprintf($lang->advancereferrals_dailybonus_timer, $mybb->settings['newpoints_advancereferrals_dailybonus_time']).'";
var downloadTimer = setInterval(function(){
timeleft--;
document.getElementById(id).value = "'.sprintf($lang->advancereferrals_dailybonus_timer, '"+timeleft+"').'";
if(timeleft <= 0){
clearInterval(downloadTimer);
document.getElementById(id).value = "'.$lang->advancereferrals_dailybonus_submit_sending.'";
document.getElementById(fid).submit();
}
},1000);
}
</script>
';
}else{
$submitbutton .= '<input type="submit" name="dailybonus" value="'.$lang->advancereferrals_bonus_submitbutton.'"/>';
}
$submitbutton.='</form>';
if($mybb->request_method == "post"){
if($mybb->input['dailybonus']){
$db->write_query("UPDATE ".TABLE_PREFIX."users SET newpoints=newpoints+".$mybb->settings['newpoints_advancereferrals_dailybonus'].",dailybonus='".TIME_NOW."' WHERE uid='".$mybb->user['uid']."'");
//$db->write_query("UPDATE ".TABLE_PREFIX."users SET dailybonus='".TIME_NOW."' WHERE uid='".$mybb->user['uid']."'");
$bonus = '<div class="alert alert-success">'.$lang->advancereferrals_dailybonus_successmsg.'</div>';
$submitbutton='';
}else{
$bonus = '<div class="alert alert-danger">'.$lang->advancereferrals_dailybonus_errormsg.'</div>';
}
}else{
$bonus = '';
}
}else{
$bonus = $lang->advancereferrals_dailybonus_redeemed;
}
eval("\$page = \"".$templates->get("advancerefferals_usercp_bonus")."\";");
output_page($page);
}
If you use query use the mybb db class not plain querys... if you still use plain querys and not used the class to build your query then escape them.
you are talking about insert data and that part never do it.
You have to sanitize data before show it.
And in query instances do the same and escape insertion of data to prevent sql injection atacks.
You have to be sure have code implementations to prevent xss injections in the code shared.
See yah !!!
(2017-04-28, 12:28 PM)broatcast Wrote: [ -> ]If you use query use the mybb db class not plain querys... if you still use plain querys and not used the class to build your query then escape them.
(2017-04-28, 12:48 PM)Dark Neo Wrote: [ -> ]you are talking about insert data and that part never do it.
You have to sanitize data before show it.
And in query instances do the same and escape insertion of data to prevent sql injection atacks.
You have to be sure have code implementations to prevent xss injections in the code shared.
See yah !!!
i know but i was lazy to add this because i've to develop this plugin as soon as possible. i'll take care of them in next release..
thats the badest decission you can do... code clean from scratch, later you will not patching this cause its just working...
and realeasing a vulnuable plugin is the badest what you can do
(2017-04-28, 10:06 PM)broatcast Wrote: [ -> ]thats the badest decission you can do... code clean from scratch, later you will not patching this cause its just working...
and realeasing a vulnuable plugin is the badest what you can do
actually i'm not releasing it publicly, i've a personal website and will install on this... if all working fine as i want with this plugin then i'll make all modification to prevent hacking. Testing on Live website is better than testing on localhost.
ok my main reason of this thread was, verify incoming post request. as i remember, in the past i created a plugin which have mybb post key to verify post request but now i forget this function, how to use and how to put
i also add "verify_post_check($mybb->get_input('my_post_key'));" which found on member.php file but after putting this php throw warning of max memory limit
yeah I was going to say you need to verifiy_post_check to prevent
XSS CSRF.
in your form add a new field:
<input type="hidden" name="my_post_key" value="{$mybb->post_code}">
first thing you need to do after checking if the request is POSTed is verify_post_check()