Miva, Miva Script, Miva Empresa, Miva Mia amd Miva Merchant are registered trademarks of the Miva Corporation 		 
Ivo Truxa - truXoft control systems: advanced programming and custom IT solutions home / about / webdesign / Miva / automation / contact

http://mivo.truxoft.com
MIVO!
miva beyond limits
invert colors ] 
M I V O ! 
ABOUT 
WHAT'S NEW 
SECURITY 
RESOURCES 
MERCHANT 
HOSTING 
disclaimer 
  

MIVA®  SNIPPETS:  Variable Firewall

from Ray Hader, modified by Ivo Truxa, July/2000

Ray wrote a nice script that checks ALL variables (even those you do not know about) for malicious code. Better told, it checks if they do not contain some of the forbidden characters, that could be used to break in your script or data area. I made just few enhancements, fixes and code optimizing. You may check also Ray's website, maybe he made more changes on it in the meantime.

Originally he had it here:  http://www.scripts.idesigns.net/check_variables.htm
 

<MIVA STANDARDOUTPUTLEVEL="html,text,compresswhitespace" DEFAULTMACROENCODING="entities">
<MvASSIGN NAME="l.end" VALUE="{makesessionid()}">
<MvASSIGN NAME="var_list" VALUE="{glosub('dummy123,' $ miva_getvarlist('l') $ ','
                                                     $ miva_getvarlist('g') $ ',' 
                                                     $ miva_getvarlist('s') $ ','
                                                     $ l.end, ',,', ',')}">
<MvASSIGN NAME="l.exc" VALUE="arg2,dyn_stm_zone,http_User_Agent,query_string,hton,htoff,"> 
<MvASSIGN NAME="l.nr" VALUE="1">  
<MvASSIGN NAME="l.forbidden" VALUE="<>[]{}()'\"&">
<MvWHILE EXPR="{var_list}">
  <MvASSIGN NAME="vartemp" VALUE="{gettoken(var_list,',',l.nr)}">
  <MvASSIGN NAME="vartemp" VALUE="{gettoken(vartemp,l.forbidden,1)}">
  <MvIF EXPR="{vartemp EQ l.end}"><MvWHILESTOP></MvIF>
  <MvIF EXPR="{len(vartemp)}">
    <MvIF EXPR="{len(&[vartemp];) GT len(gettoken(&[vartemp];,l.forbidden,1)) 
                 AND NOT ((vartemp $ ',') CIN l.exc)}">
      <MvEVAL EXPR="{hacker_error('The <I>' $ l.forbidden $ 
                     '</I> symbols are not allowed in any field')}">
    </MvIF>
  </MvIF>
  <MvASSIGN NAME="l.nr" VALUE="{l.nr+1}">
</MvWHILE>



<MvCOMMENT>******************************************************************
| hacker_error stops the script display if illegal chars have been found 
*****************************************************************</MVCOMMENT>
<MvFUNCTION NAME="hacker_error" PARAMETERS="string_in">
 <HTML><HEAD><TITLE>Errors in data</TITLE></HEAD>
 <BODY BGCOLOR="000000" TEXT="FF0000">
 <H3><MvEVAL EXPR="{string_in}"></H3>
 <H4>Please use your "Back" button to return to the form and correct the form</H4>
 </BODY></HTML>
 <MvEXIT>
</MvFUNCTION>

You may simply add characters to the l.forbidden variable (or remove some) to make the function more or less strict. Normally, if you program carefully, it is not necessary to make so strong restrictions on variable values.

Some system variables may contain some of the forbidden characters - put them to the exception list l.exc, but be aware that they may be a nice back door for a hacker. Use especially the callerid and all http system variables very carefully!

top
   

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2012