OT: Decrypting PHP preg_replace Strings

Pierre Sahores sc at sahores-conseil.com
Mon Dec 26 13:34:26 EST 2011


Le 26 déc. 2011 à 16:40, Richard Gaskin a écrit :

> Sivakatirswami wrote:
> 
>> We have hackers on our web server getting in thru one Domain... I think
>> there is a whole in WordPress.
> ...
>> I can't wait until move our site over to RevIgniter; I think it will be
>> much more secure!
> 
>   Any of you have a similar LiveCode function to sanitize data?

Example code out of the LC-server powered widestep.fr saas eCMS and vertical market web apps semantic driven generator :

1.- The HTTP POST requests sanitizer

> function start_somelivecode_lib	
>    if $_server[http_user_agent] is in "livecode (macos),livecode (win32),livecode (ios)" and "somedomainnamecomesthere" is $_SERVER["HTTP_HOST"] then
>       
>       ### active sub-domain retriever : start ###
>       		
>       put "yourdatabasetype" into DbTarget ; put "thedatabasename" into DbName
>       put "thedatabaseuser" into DbUser ; put thedatabasepwd" into DBPasswd
>       	
>       repeat for each key k in $_POST
>          put k & return after PostIn
>       end repeat
>       put trim(PostIn) into PostIn
>       	
>       if "somepostkey1=" is char 1 to length("somepostkey1=") of PostIn or "somepostkey2=" is char 1 to length("somepostkey2=") of PostIn or "somepostkey3=" is char 1 to length("somepostkey3=") of PostIn
>       then put "specialervicestablename" into CustEditors
>       else if "somepostkey4=" is in PostIn then
>                 		
>          set itemdel to "&"
>          put trim(char 8 to -1 of item -1 of Postin) into aspecialmatchboxvalue # Constante 1 #
>          put item 1 to -2 of Postin into Postin
>          
>          different related "file://" server-side service paths come there
>          
>         different related db tables linkers come there
>          			
>       end if
>       
>       ### active sub-domain retriever : end ###
>       		
>    else return pseudo404()
> 
> ...

2.- The undisclosed HTTP GET requests sanitizer code follow there

3.- The server-side incoming requests controller :

> function pseudo404
>    if $_server[http_user_agent] is in "livecode (macos),livecode (win32),livecode (ios)" then
>       then return "unsuitable credentials<===>unsuitable credentials"
>       else return "<HTML><HEAD><TITLE>ERROR: File Not Found</TITLE></HEAD><BODY><H1>File Not Found</H1></BODY></HTML>"
> end pseudo404
> 
> 
> function somelivecode_lib_main_ctl
>    if $_server[http_user_agent] is in "livecode (macos),livecode (win32),livecode (ios),livecode (android)" then
>       
>       put trim(PostIn) into PostIn
>       get char 1 to -1+offset("=",PostIn) of PostIn
>       		
>       if it is "" and char 1 to -1+offset("=",encel(PostIn)) of encel(PostIn) is "someknownkey1" then put pgSQL_directCall(encel(PostIn)) # credit
>       else if it is "someknownkey2" then put someknownkey2(PostIn)
>       else if it is "someknownkey3" then put someknownkey3(PostIn)
>      ...
>       else if it is "someknownkeyN" then putsomeknownkeyN(PostIn)
>       else put pseudo404()
>       
>    else put pseudo404()
> end somelivecode_lib_main_ctl

4.- The undisclosed authentication dedicated sanitizer follow there

...

Comment1 : Any incoming request need to be accepted by those different kind of controllers to be targeted to the authentication one. If something don't match, the server app goes just to sleep after sending the pseudo404 response to the unwanted request attempt (with, optionally, blacklisting features, caching, etc...).

Comment2 : this code sanitize RIA clients requests ; the code don't need to be very different to match non AJAX web clients requests and AJAX web clients one but it need to be anywhere ;-)

HTH,

> 
> --
> Richard Gaskin
> Fourth World
> LiveCode training and consulting: http://www.fourthworld.com
> Webzine for LiveCode developers: http://www.LiveCodeJournal.com
> LiveCode Journal blog: http://LiveCodejournal.com/blog.irv
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

--
Pierre Sahores
mobile : 06 03 95 77 70
www.sahores-conseil.com







More information about the use-livecode mailing list