need anti Sql Funticon

[rhys918]

hi is it possible for somone to injecto Gunz Database threw the admin panel if they arnt an admim?
Could You provide me with a antisql function
like write the code so all i need to do is copy it to my www eg index.php of the panel
or where can i find one i tryied google and only found one good one the

//This prevents SQL Code injection / XSS Attacks.

function replace_meta_chars($string){
return @eregi_replace("([*])|([|])|([;]|([`])","",$string);
}

while(list($keyx,$valuex) = each($_REQUEST)){
if(eregi("([*])|([|])|([;])",$valuex)){
mail("camilo@cancun.com","Hack Alert","There's been a SQL Injection hacking attempt. $HTTP_REFERRER $REMOTE_ADDR","FROM:core@cancun.com,BCC:bernhardx@cancun.com");
}
}

reset ($_REQUEST);
while(list($keyx,$valuex) = each($_REQUEST)){
${$keyx} = replace_meta_chars($valuex);
echo "$keyx $valuex
";
}
//end anti SQL XSS script.

Note: Initially i used the escapeshellcmd() function, but we discovered it was messing with our e-commerce site, as it nukes EVERY metacharacter, included some that are used in credit card transactions; so i had to develop a little function that only nukes what i tell it to. :)

But it just showed up on the page saying it so i dont think it worked

[MentaL]

[ThePhailure772]

Learn to search.

[streetkiller]

use the search function or google

[Testing-NLG]

Most people use this one:

PHP Code:


    //antisql
function antisql($sql) {
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|--|\\\\)/"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
return $sql; } 


[rhys918]

cheers dude if i put this in index.php of panel
will i then stop people injection?

[alfredao]

[php]//Anti SQL injection
function antisql($sql)
{
// Remove as palavras que contenham sintaxe SQL.
$sql = preg_replace(sql_regcase("/(from|update|set|select|insert|delete|where|drop table|show tables|=|#|\|*|--|\\\\)/"),"",$sql); //Substitui algumas partes do SQL por absolutamente nada.
$sql = trim($sql); //Remove Espa

[Testing-NLG]

[QUOTE=alfredao;4978520][php]//Anti SQL injection
function antisql($sql)
{
// Remove as palavras que contenham sintaxe SQL.
$sql = preg_replace(sql_regcase("/(from|update|set|select|insert|delete|where|drop table|show tables|=|#|\|*|--|\\\\)/"),"",$sql); //Substitui algumas partes do SQL por absolutamente nada.
$sql = trim($sql); //Remove Espa

[Kyuma]

Thats why . alfretao ..

i tryed one query in your web [ UNPROTECT WEB ]

But when i tryed the query at CLAN EMBLEM Uploader

it says : " VO

[alfredao]

Here in English

PHP Code:

//Anti SQL injection.
function antisql($sql)
{
// Remove words that contain SQL syntax
$sql = preg_replace(sql_regcase("/(from|update|set|character|clan|account|name|opened|=|serverstatus|indexcontent|account|level|select|insert|delete|where|drop table|show tables|#|\|*|--|\\\\)/"),"",$sql); //Replaces some parts of a SQL query with absolutely nothing.
$sql = trim($sql); //antisqls up spaces
$sql = strip_tags($sql);//Php and html tags strip
$sql = addslashes($sql);//Adds backslashes to one string
$sql = stripcslashes($sql); //Un-quote string quoted with addcslashes
$sql = stripslashes($sql); //Un-quotes a quoted string
$sql = htmlspecialchars($sql); //Convert special characters to HTML entities
$sql = quotemeta($sql); //Quote meta characters
return $sql;
} 


[Testing-NLG]

Here in English

PHP Code:

//Anti SQL injection.
function antisql($sql)
{
// Remove words that contain SQL syntax
$sql = preg_replace(sql_regcase("/(from|update|set|character|clan|account|name|opened|=|serverstatus|indexcontent|account|level|select|insert|delete|where|drop table|show tables|#|\|*|--|\\\\)/"),"",$sql); //Replaces some parts of a SQL query with absolutely nothing.
$sql = trim($sql); //antisqls up spaces
$sql = strip_tags($sql);//Php and html tags strip
$sql = addslashes($sql);//Adds backslashes to one string
$sql = stripcslashes($sql); //Un-quote string quoted with addcslashes
$sql = stripslashes($sql); //Un-quotes a quoted string
$sql = htmlspecialchars($sql); //Convert special characters to HTML entities
//$sql = quotemeta($sql); //Quote meta characters
return $sql;
} 


Thanks <3
May I use this one aswel :) ?

[Trilest]

cheers dude if i put this in index.php of panel
will i then stop people injection?

Yes it will stop the injections in ur site ;)

But you will also need to add it at every post like:

PHP Code:

$blabla = $_POST['blabla']; 


Will have to be

PHP Code:

$blabla = antisql($_POST['blabla']); 


[Solaire]

Here in English

PHP Code:

//Anti SQL injection.
function antisql($sql)
{
// Remove words that contain SQL syntax
$sql = preg_replace(sql_regcase("/(from|update|set|character|clan|account|name|opened|=|serverstatus|indexcontent|account|level|select|insert|delete|where|drop table|show tables|#|\|*|--|\\\\)/"),"",$sql); //Replaces some parts of a SQL query with absolutely nothing.
$sql = trim($sql); //antisqls up spaces
$sql = strip_tags($sql);//Php and html tags strip
$sql = addslashes($sql);//Adds backslashes to one string
$sql = stripcslashes($sql); //Un-quote string quoted with addcslashes
$sql = stripslashes($sql); //Un-quotes a quoted string
$sql = htmlspecialchars($sql); //Convert special characters to HTML entities
$sql = quotemeta($sql); //Quote meta characters
return $sql;
} 


LOLLOL, you're removing the slashes added by PHP or addslashes(), which makes you VULNERABLE.

[Trilest]

LOLLOL, you're removing the slashes added by PHP or addslashes(), which makes you VULNERABLE.

Wich one would you suggest then?
The one I posted in this thread ;O ?

[Solaire]

Wich one would you suggest then?
The one I posted in this thread ;O ?

Yes. It's kinda out of date, but it provides basic protection.

[Trilest]

Yes. It's kinda out of date, but it provides basic protection.

Oh ok then i'm save :)

[rhys918]

Yes it will stop the injections in ur site ;)

But you will also need to add it at every post like:

PHP Code:

$blabla = $_POST['blabla']; 


Will have to be

PHP Code:

$blabla = antisql($_POST['blabla']); 


So what do i do add that main anti sql well im doing it for my adminpanel v3 by emisand

so do i add anti sql function to index.php

And thats it?

[katsumi]

Here is some Easy Ways To protecting Your website .. from Different Type of Security Holes.

A. SQL INJECTIONS



B. STOPING OFF DOMAIN TRANSACTIONS


C. Adding a Simple Auto File Logger To your Website

This is to catch those hacking attempts on a FILE! The anti Sql Injector already has it's Own Logging system.. but this is for those other stuff u want to log. like for example. The Referral Check.

here is the main function for the logger (u need to put this somewer on ur php file a global insert file)

PHP Code:

function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT']; 
    $uri = $_SERVER['REQUEST_URI']; 
    $ip = $_SERVER['REMOTE_ADDR']; 
    $ref = $_SERVER['HTTP_REFERER']; 
    $dtime = date('r'); 
     
    if($ref == ""){ 
        $ref = "None"; 
    ** 
    if($user == ""){ 
        $user = "None"; 
    ** 
    $location = "/";
    $type = $location . $type . ".txt";
    $entry_line = "$dtime - IP: $ip | Agent: $agent  | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n"; 
    $fp = fopen("$type", "a"); 
    fputs($fp, $entry_line); 
    fclose($fp); 
** 


How to Use is like Simple Like this

PHP Code:

   filelogs('filename', $additionalinfo, $theusername); 


filename = just to separate from one kind of logs to another
$additionalinfo = this is some info u wanna include in the logs like queries or the current referrer's address
$theusername = if u have cookies.. u can put them here.. so ull know who to ban for this acts.

A sample script.. this is combined with the the Referral Filter on B

PHP Code:

if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
   
   filelogs('account-creat', $_SERVER['HTTP_REFERER'], $_POST['Member_ID']);
   die ( 'Hacking attempt. Your are such a Nooby!.. ' ); 
** 


Ill do more later.. Just ask here if u wanna me to do any kind of protection.

LInk --> http://forum.ragezone.com/f196/guide...tection-50180/

[Trilest]

So what do i do add that main anti sql well im doing it for my adminpanel v3 by emisand

so do i add anti sql function to index.php

And thats it?

You put the function of antisql in your script.
and then you replace all the

PHP Code:

$_POST['']; 


and

PHP Code:

$_GET['']; 


with

PHP Code:

 antisql($_POST['']); 


and

PHP Code:

 antisql($_GET['']); 


Good luck

[rhys918]

You put the function of antisql in your script.
and then you replace all the

PHP Code:

$_POST['']; 


and

PHP Code:

$_GET['']; 


with

PHP Code:

 antisql($_POST['']); 


and

PHP Code:

 antisql($_GET['']); 


Good luck

what do you mean so put the anti sql function in index.php

and what do you mean replace

[Trilest]

what do you mean so put the anti sql function in index.php

and what do you mean replace

Just like i've said ....

if you have a $_POSt['']; replace that with antisql($_POSt['']);

if you have a $_GET['']; replace that with antisql($_GET['']);