Page 1 of 1

mpv validation questions

Posted: Thu Jan 15, 2009 12:22 pm
by pixel001
hi guys, i've got a few mpv validation questions for a mod that isnt released yet

1) include_once()

seems not to pass mpv. why?

Code: Select all

include_once('dataaccessor.php');
2) stripslashes()

i used Stripslashes on an xml. this generated a Fail condition in mpv.

bbDKP_dev2/plugins/ctrt/root/includes/acp/ctrt/aliases/import.php: Using stripslashes() at line 92:

Code: Select all

$xml = $this->parser->validateXML(stripslashes($_POST['xml']));
i read that request_var is always mandatory but in this case i would be posting an xml.

3) IN_PHPBB
why should 'IN_PHPBB' always be set ?

[ WARNING ] bbDKP_dev2/root/updatebbdkp/update_ctrt.php: A define for IN_PHPBB is missing or there is no check for IN_PHPBB is set.

4) backticks

I used those in an sql. arent these allowed?

[ FAIL ] bbDKP_dev2/root/updatebbdkp/update_bbdkp.php: Using backticks at line 424:

Code: Select all

(snip)    `class_wow_new` smallint(5) unsigned NOT NULL ) " ;  (snip)
TIA :D

Re: mpv validation questions

Posted: Thu Jan 15, 2009 12:50 pm
by Paul
pixel001 wrote:hi guys, i've got a few mpv validation questions for a mod that isnt released yet

1) include_once()

seems not to pass mpv. why?

Code: Select all

include_once('dataaccessor.php');
Include is prefered. Its not something we deny for ;)
2) stripslashes()

i used Stripslashes on an xml. this generated a Fail condition in mpv.

bbDKP_dev2/plugins/ctrt/root/includes/acp/ctrt/aliases/import.php: Using stripslashes() at line 92:

Code: Select all

$xml = $this->parser->validateXML(stripslashes($_POST['xml']));
i read that request_var is always mandatory but in this case i would be posting an xml.
You should use request_var, that handles the stripslashes. After that call htmlspecialchars_decode.
3) IN_PHPBB
why should 'IN_PHPBB' always be set ?

[ WARNING ] bbDKP_dev2/root/updatebbdkp/update_ctrt.php: A define for IN_PHPBB is missing or there is no check for IN_PHPBB is set.
For security reasons. If you include phpBB files and its not set you get a white page. If you include that file and you dont have a check for it you can in some cases exploit that (Like when register global is on).
4) backticks

I used those in an sql. arent these allowed?

[ FAIL ] bbDKP_dev2/root/updatebbdkp/update_bbdkp.php: Using backticks at line 424:

Code: Select all

(snip)    `class_wow_new` smallint(5) unsigned NOT NULL ) " ;  (snip)
TIA :D
No. backticks are mysql only.

Re: mpv validation questions

Posted: Sat Aug 15, 2009 1:29 pm
by michaelo
Although include_once is not denied it can be overcome by adding the following for function calls you can use include instead...

Example: Your normal function call might looks like this...

Code: Select all

function phpbb_preg_quote($str, $delimiter)
{
	$text = preg_quote($str);
	$text = str_replace($delimiter, '\\' . $delimiter, $text);

	return $text;
}
To eliminate the warning (and also add additional benefits):

Code: Select all

if(!function_exists('phpbb_preg_quote'))
{
	function phpbb_preg_quote($str, $delimiter)
	{
		$text = preg_quote($str);
		$text = str_replace($delimiter, '\\' . $delimiter, $text);

		return $text;
	}
}
For classes use something like...

Code: Select all

if (!class_exists('class_name')) {...}

Re: mpv validation questions

Posted: Sat Aug 15, 2009 1:44 pm
by michaelo
Question re: Using $_GET
One report gives:

Code: Select all

[ FAIL ] stargate_portal/root/blocks/block_style_select.php: Using $_GET at line 153:

Code: Select all
    $check = sizeof($_GET);

request_var() should be used.
Any way around this?

Re: mpv validation questions

Posted: Sat Aug 15, 2009 2:50 pm
by igorw
Regarding include_once, I would take a different approach. Something like this (same applies to functions too):

Code: Select all

if (!class_exists('my_class'))
{
    include($phpbb_root_path . 'includes/my_class.' . $phpEx);
}
Regarding $_GET, I don't see why you would need to use sizeof for $_GET, but if there is a good reason, it's sure allowed. For example running an isset() on a $_POST variable is perfectly fine.