[RESOLVED] postback: improving security

BEFOR

Receiving the following postback (Gateway makes only a single postback, cannot validate the data sent)-- I am trying to tighten the security on postback page.

A) the mysql_real_escape_string -- how might this go, please note the password is alphanumeric:

😎 would it really help to create a class to 'clean' the $_GET
B.1) Is this effective against an attack? Would you create a seperate class file and apply it how here?

$userid = $GET['userid'];
$plan_type = $GET['type'];
$trans_id = $GET['transactionid'];
$trans_status = $GET['transactionstatus'];
$trans_date = $_GET['tansactiondate'];

//2nd - check ip address against 605.42.56.*/35

$ip = $_SERVER['REMOTE_ADDR'];
if ($ip=='605.42.56.*/35') {
$send_email = "admin@mysite.com";

$Server = "aaaa.aaaa.com"; //Server
$DName = "any_any12"; //Database
$Username = "bbbbbbb"; //Username
$Password = "ccccc"; //Password

//make connection
$Connect = @mysql_connect($Server, $Username, $Password)
or die("Couldn't connect to MySQL " . mysql_error() . " " . mysql_errno());

//select database
$Db = @mysql_select_db($DName, $Connect)
or die("Couldn't select database " . mysql_error(). " " . mysql_errno());

 if ($trans_status == "approved"){ $firstQuery = "insert into Paymenttable(fk_UserID,TransactionPlan_type,Transaction_id,Transaction_status,  Transaction_date)values('".$userid."','".$transplan_type ."','".$trans_id','".$trans_status."','".$trans_date."')";

$result = mysql_query($firstQuery) or die("Default - Paymenttable, not successful: " . mysql_error() . " " . mysql_errno());

mail($send_email, "VERIFIED", "$firstQuery");
}
}

BEFOR

anyone?

bretticus

Single post back...Are you saying that you must send all variables to the php script using a URI? Frankly, "cleaning" the $_GET array isn't as effective as just validating your input. For example, if you are excpecting an integer, check for an integer. You can even enforce an integer by calling intval(). For strings, you can make use of mysql_real_escape_string(). In short, if you want to be super-safe (and I don't blame you) validate each value before injecting it into your query. And don't just validate, force the value if possible (intval example.)

$ip = $_SERVER['REMOTE_ADDR'];
if ($ip=='605.42.56.*/35')

I suppose you know $_SERVER['REMOTE_ADDR'] will never return anything close to 605.42.56.*/35 and so I assume that is just for illustrative purposes (not that 605 can exist as an octet value in the first place.) Did you have a specific question about that?

Weedpacket

I'd've thought that after two years the question would have been resolved or superseded by something else already. At the very least I'd've thought that some additional thought would have been applied by the OP to the problem.

BEFOR

Thank you, now answered.