PDA

View Full Version : Help me secure some code



semaja2
06-21-2006, 10:33 AM
Hey guys, if anyone is willing to help me out here, could someone check over my code and help me secure it.


<?

$show = $HTTP_GET_VARS['show'];
$episode = $HTTP_GET_VARS['ep'];

if ( $show == sga ) {
$show = atlantis;
}

if ( $show == sg1 ) {
$show = stargate;
}

if ( $show == bsg ) {
$show = battlestar;
}

function get_show($show,$exact="",$episode) {

if ( !$show ) { return false; }

if ( $fp = fopen("http://www.tvrage.com/quickinfo.php?show=".urlencode($show)."&ep=".urlencode($episode)."&exact=".urlencode($exact),"r") )
{
while ( !feof($fp))
{
$line = fgets($fp,1024);
list ($sec,$val) = explode('@',$line,2);
if ($sec == "Show Name" )
{
$ret[0] = $val;
}
elseif ( $sec == "Show URL" )
{
$ret[1] = $val;
}
elseif ( $sec == "Premiered" )
{
$ret[2] = $val;
}
elseif ($sec == "Country" )
{
$ret[7] = $val;
}
elseif ( $sec == "Status" )
{
$ret[8] = $val;
}
elseif ( $sec == "Classification" )
{
$ret[9] = $val;
}

elseif ( $sec == "Latest Episode" )
{
list ($ep,$title,$airdate) = explode('^',$val);
$ret[3] = $ep.", \"".$title."\" aired on ".$airdate;
}
elseif ( $sec == "Next Episode" )
{
list ($ep,$title,$airdate) = explode('^',$val);
$ret[4] = $ep.", \"".$title."\" airs on ".$airdate;
}
elseif ( $sec == "Episode Info" )
{
list ($ep,$title,$airdate) = explode('^',$val);
$ret[5] = $ep.", \"".$title."\" aired on ".$airdate;
}
elseif ( $sec == "Episode URL" )
{
$ret[6] = $val;
}
}
fclose($fp);
if ( $ret[0] )
{
return $ret;
}
}
else
{
return FALSE;
}
}


$show_info = get_show($show,"0",$ep); /*moved here*/
if ( $show_info[0] == '' ) {
echo "Show not found";
}
else {
/* $show_info = get_show("$show","0","1x2"); < this was here before */


echo "Show Name : $show_info[0]Episode Information : $show_info[5]Episode URL : $show_info[6]";

if ( $show == "stargate" ) {
echo "Use !summary for a summary of this episode";
}
elseif ( $show == "atlantis" ) {
echo "Use !summary for a summary of this episode";
}
elseif ( $show == "battlestar" ) {
echo "Use !summary for a summary of this episode";
}
elseif ( $show == "scrubs" ) {
echo "Use !summary for a summary of this episode";
}
}
?>


<?php
$show = $HTTP_GET_VARS['show'];
$ep = $HTTP_GET_VARS['ep'];
$doshow = 0;


if ( $show == sga ) {
$show = atlantis;
$dosum = 1;
}

if ( $show == sg1 ) {
$show = stargate;
$dosum = 1;
}

if ( $show == bsg ) {
$show = battlestar;
$dosum = 1;
}

if ( $show == 'stargate' || $show == 'atlantis'|| $show == 'battlestar' || $show == 'scrubs' || $show == 'lost') {
$dosum = 1;
}

function get_show($show,$exact="",$episode) {

if ( !$show ) { return false; }

if ( $fp = fopen("http://www.tvrage.com/quickinfo.php?show=".urlencode($show)."&ep=".urlencode($episode)."&exact=".urlencode($exact),"r") )
{
while ( !feof($fp))
{
$line = fgets($fp,1024);
list ($sec,$val) = explode('@',$line,2);
if ($sec == "Show Name" )
{
$ret[0] = $val;
}
elseif ( $sec == "Show URL" )
{
$ret[1] = $val;
}
elseif ( $sec == "Premiered" )
{
$ret[2] = $val;
}
elseif ($sec == "Country" )
{
$ret[7] = $val;
}
elseif ( $sec == "Status" )
{
$ret[8] = $val;
}
elseif ( $sec == "Classification" )
{
$ret[9] = $val;
}

elseif ( $sec == "Latest Episode" )
{
list ($ep,$title,$airdate) = explode('^',$val);
$ret[3] = $ep.", \"".$title."\" aired on ".$airdate;
}
elseif ( $sec == "Next Episode" )
{
list ($ep,$title,$airdate) = explode('^',$val);
$ret[4] = $ep.", \"".$title."\" airs on ".$airdate;
}
elseif ( $sec == "Episode Info" )
{
list ($ep,$title,$airdate) = explode('^',$val);
$ret[5] = $ep.", \"".$title."\" aired on ".$airdate;
}
elseif ( $sec == "Episode URL" )
{
$ret[6] = $val;
}
}
fclose($fp);
if ( $ret[0] )
{
return $ret;
}
}
else
{
return FALSE;
}
}


$show_info = get_show($show,"0",$ep);
if ( $show_info[0] == '' ) {
echo "Show not found";
}
else {
if ( $show_info[5] == '' ) {
echo "Episode information not found, did you type in the correct line, try !summary help";
}
else {

/* $show_info = get_show("$show","0","1x2"); < this was here before */

echo "Show Name : $show_info[0]Episode Information : $show_info[5]Episode URL : $show_info[6]";

echo "Summary for $show $ep : ";

if ( $dosum == 1 ) {

$db = mysql_connect("localhost", "semaja2_show", showpass);

mysql_select_db(semaja2_show,$db);


$sql = "SELECT * FROM $show WHERE ep='$ep'";

$result = mysql_query($sql);

$row = mysql_fetch_array($result) ;



echo $row['summary'];

}

else {
echo "Full Summary not avalable";
}

print "\nuse !show $show to find more information about this show";
}
}
?>

lavinpj1
06-21-2006, 12:11 PM
"Secure it"? Against what? Wild animals?

semaja2
06-21-2006, 12:49 PM
Well are there any bugs or loop holes that could allow a attacker to damage the mysql database or bring down the server, simply things like that

PS. yes and wild animals....damn racoons