[PHP] Anti SQL Injection Script

[N]asser · Jun 5, 2005

Well, to start things off, this is a modded version of one that was posted by someone else...I forgot his name, but if you search for it, I'm sure you could find it. I've added more things to it to make it more secure and reliable. Here they are:

PHP:

// Anti-SQL Injection
function check_inject()
  {
    $badchars = array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-");
  
    foreach($_POST as $value)
    {
      if(in_array($value, $badchars))
      {
        die("SQL Injection Detected\n<br />\nIP: ".$_SERVER['REMOTE_ADDR']);
      **
      else
      {
        $check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE);
        foreach($check as $char)
        {
          if(in_array($char, $badchars))
          {
            die("SQL Injection Detected\n<br />\nIP: ".$_SERVER['REMOTE_ADDR']);
          **
        **
      **
    **
  **

This also works faster by a few mili seconds. This is the first of many PHP releases that I will be making to RaGEZONE. I use this very same script on the KolieMU site (soon to come). I hope you enjoy it.

[N]asser` ~ Out

Dorin1 · Jun 5, 2005

wow tnx

[N]asser · Jun 5, 2005

No problem.

[N]asser` ~ Out

[N]asser · Jun 5, 2005

I've also newly added a new character into the array..."-". If you have this script check for injection on your stats adder, it should stop the - bug.

[N]asser` ~ Out

DataMatrix · Jun 5, 2005

I don't know why people continue using this type of anti-sql-inject, I use this:

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	echo("SQL Injection Detected");
**

themad · Jun 5, 2005

DataMatrix said:
I don't know why people continue using this type of anti-sql-inject, I use this:

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) { echo("SQL Injection Detected"); **

hahhahaha hahahaha that Echo will not protect a thing

Nemesiz · Jun 5, 2005

we can change echo("SQL Injection Detected"); to die("SQL Injection Detected");

messmaker · Jun 5, 2005

But i Didnt Understand How i put this

Where need to do somthing?

DataMatrix · Jun 6, 2005

Hmm, it echo does the job on my server, but thanks for the tip, i'll change to die.

themad said:
hahhahaha hahahaha that Echo will not protect a thing

PS: Was there any need in that big gay butt laugh?

[N]asser · Jun 6, 2005

Yea, it was fun. By the way, this script is very effective, even though very simple.

[N]asser` ~ Out

Nemesiz · Jun 6, 2005

to protect from sql injection i think need to make check of length of login and password

[N]asser · Jun 6, 2005

Nemesiz said:
to protect from sql injection i think need to make check of length of login and password

Why? You know what injection is right? Here's an example...in a form that submits to your db, for example your login you put this:

Username: bob; DROP TABLE Character;

Yea, that's bascially it and that's what my script protects you against.

[N]asser` ~ Out

fancy · Jun 6, 2005

DataMatrix said:
I don't know why people continue using this type of anti-sql-inject, I use this:

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) { echo("SQL Injection Detected"); **

don't u think u should u use exit() ?

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	echo("SQL Injection Detected");
        exit();
**

exit() stops the script. So after detecting sql injection script stops and nothing happens

~

Nemesiz · Jun 6, 2005

[N]asser "bob; DROP TABLE Character;" its 26 simbols. Username max is 10 simbols. Event is player enter his name "mylonglongname" its 14 simbols. SQL insert only 10. To protect from sql injection and bugs username need to be checked using eregi("[^a-z0-9_-]", $memb___id) (is you use big letters you make a bug).
If player want to use username "drop" your $badchars = array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-"); dont helps to him.

fancy want do you think die() do ?

DataMatrix · Jun 6, 2005

die stops the script too, like echo then exit.

themad · Jun 6, 2005

or just this

PHP:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	die("<font color=red><b>SQL Injection Detected</font</b>");
**

messmaker · Jun 6, 2005

[I REPEAT]But i Didnt Understand How i put this Where need to do somthing?

Nemesiz · Jun 6, 2005

Try to learn php

[N]asser · Jun 6, 2005

messmaker said:
[I REPEAT]But i Didnt Understand How i put this Where need to do somthing?

Put the code I gave you in a page and save it as functions.php...Then on whichever page you want to call the script, use this:

PHP:

include_once('functions.php');
check_inject();

That's about it.

[N]asser` ~ Out

messmaker · Jun 6, 2005

Quote:
Originally Posted by messmaker
[I REPEAT]But i Didnt Understand How i put this Where need to do somthing?

Put the code I gave you in a page and save it as functions.php...Then on whichever page you want to call the script, use this:

PHP Code:
include_once('functions.php');
check_inject();

But tell me I understand i put in a page with that script whit named functions Php but.... this i didn't understand
PHP Code:
include_once('functions.php');
check_inject();

Welcome!

[PHP] Anti SQL Injection Script

Divine Celestial

Newbie Spellweaver

Divine Celestial

Divine Celestial

Newbie Spellweaver

Junior Spellweaver

Newbie Spellweaver

Banned

Newbie Spellweaver

Divine Celestial

Newbie Spellweaver

Divine Celestial

Initiate Mage

Newbie Spellweaver

Newbie Spellweaver

Junior Spellweaver

Banned

Newbie Spellweaver

Divine Celestial

Banned

About Us

Online statistics

Forum statistics

RaGEZONE Sponsor