MSSQL Anti Injection

A v a r a · Jan 19, 2016

Any thoughts how to prevent this?

Taiga · Jan 19, 2016

You use prepared statements.

A v a r a · Jan 19, 2016

CodeDragon said:
You use prepared statements.

Unfortunately I don't have any idea how to make one. If you don't mind, can you share some links here in RaGEZONE that most likely you recommend to be use which is also effective?

John · Jan 21, 2016

Through the game, the web or how?

A v a r a · Jan 21, 2016

John said:
Through the game, the web or how?

Web in Ranking page.

John · Jan 22, 2016

A v a r a said:
Web in Ranking page.

Use a function:

PHP:

function antiinjectsql($tzgd){
    /* Function anti sql injection by Amir Torrez */
    $bn = array ("==", , "%s", "or 1", "'", "select", "insert", "from", "where", "exec", "0x", "set", "declare", "sql", '"');
    $tzgd = preg_replace ($bn,'', $tzgd);
    return $tzgd;
};

Call the function in the variables, example:

PHP:

$dios = antiinjectsql($_GET['dios']);

Use it in any variables, for example, GET and POST.

WildHunt · Jan 22, 2016

John said:
Use a function:

PHP:

function antiinjectsql($tzgd){ /* Function anti sql injection by Amir Torrez */ $bn = array ("==", , "%s", "or 1", "'", "select", "insert", "from", "where", "exec", "0x", "set", "declare", "sql", '"'); $tzgd = preg_replace ($bn,'', $tzgd); return $tzgd; };

Call the function in the variables, example:

PHP:

$dios = antiinjectsql($_GET['dios']);

Use it in any variables, for example, GET and POST.

Para evitar llamar la funcion en cada variable se puede usar lo siguiente usando tu función:

foreach( $_GET as $variable => $valor ){
$_GET [ $variable ] = antiinjectsql($_GET [ $variable ]);
}

foreach( $_POST as $variable => $valor ){
$_POST [ $variable ] = antiinjectsql($_POST [ $variable ]);
}

Y se incluye este archivo en el config o al inicio de la web.

Saludos!

John · Jan 22, 2016

WildHunt said:
Para evitar llamar la funcion en cada variable se puede usar lo siguiente usando tu función:

Y se incluye este archivo en el config o al inicio de la web.

Saludos!

Exactamente, aunque prefiero manual, debido al contenido de algunas otras variables, pero es a gusto del consumidor.

!= Exactly, although I prefer manually, due to the content of some other variables, but it is to consumer tastes.

SheenBR · Jan 22, 2016

Don't use an array with badwords. Instead, use what we call as "parameterized query". It is very simple and can help you.

WildHunt · Jan 22, 2016

Tuve problemas igualmente con unas variables, por ejemplo con el reCaptcha. Pero eso se puede solucionar con esto:

!= I had problems with some variables, for example with reCaptcha. But that can be fixed with this:

PHP:

foreach( $_POST as $variable => $valor ){ 
    if ($variable=='g-recaptcha-response') { 
        continue;
    }
$_POST [ $variable ] = anti_injection($_POST [ $variable ]); 
}

PD: Tendre cuidado con los gringoliebers

Welcome!

MSSQL Anti Injection

A v a r a

Tantra Freelancer

Taiga

◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜

A v a r a

Tantra Freelancer

John

Skilled Illusionist

A v a r a

Tantra Freelancer

John

Skilled Illusionist

WildHunt

Newbie Spellweaver

John

Skilled Illusionist

SheenBR

Moderator

WildHunt

Newbie Spellweaver

About Us

Online statistics

Forum statistics

RaGEZONE Sponsor