Well I want a registro.php, config.php, ranking in the clan and player with a php function 100% anti Inject SQL,
that is if n is asking too much
This would help many people who come and hackiado and even myself ...
Thanks in advance.
This post was translated with Google translator, I am Brazilian and I do not see a lot of English.
learn how to use the search button some time?
ok ok here you go
PHP Code:function antisql($sql) {
$sql = preg_replace(sql_regcase("(select|union|0x|cast|exec|varchar|insert into|delete from|update account|update login|update character|ugradeid|drop table|show tables)"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
return $sql;
}
Sigh, how much will you kiddies have to be reminded that the above can create problems in many varying scenarios, and actually will waste system resources?Originally Posted by ~Fallen
A less resource-intensive option:
Written by yours truly, credits not really needed considering the simplicity of it.Code:function sanitize_data ( $sql ) { return preg_replace( "/[^a-zA-Z0-9 ]/i", "", $sql ); }
[/code]
And to skip Wizkidje from complaining, here's the escaping for single/double quotes, backslashes, and tags:
With comments and decent spacing, for readability:Code:function sanitize ( $data ) { if ( ! get_magic_quotes_gpc ( ) ) $data = preg_replace ( Array ( '/[\\\[\]]/', '/\'/', '/"/' ), Array ( '\\', '\\\'', '\"' ), $data ); $data = preg_replace ( Array ( '/[\>]/', '/[\<]/' ), Array ( '>', '<' ), $data ); return $data; }
Code:function sanitize ( $data ) { if ( ! get_magic_quotes_gpc ( ) ) // If sanitizing for databasing isn't done.. $data = preg_replace ( Array ( '/[\\\[\]]/', '/\'/', '/"/' ), Array ( '\\', '\\\'', '\"' ), $data ); // ..do so $data = preg_replace ( Array ( '/[\>]/', '/[\<]/' ), Array ( '>', '<' ), $data ); // Escape tags to prevent tag-injection return $data; }
hmmn i admit your right,,
I am no pro at PHP and Anti SQL injection.... But why not just block certain symbols that are needed for SQL Injection methods from any inputs.
Then do it.
And add all the other SQL inputs (") ('), etc..PHP Code:<?PHP
if( $userid == "x'" ) die ("I see you there.");
?>
But it's not a verry safe way. There are numerous ways of stoping SQL injections; but the one posted above is better.
Or just make the password feild not allow more that 9 characters. (Stopping a full SQL query.) Once again. It's not that good.
That is done - but sometimes, those symbols are desired by the user, which is why you can escape the symbols (e.g.: A single quote turns to a single quote with a backslash before it, so that the database knows to accept is as part of the data, not part of the query to be executed).
That's not how you would do it - more so, it would be using regex to find if any non-permitted symbol (Which probably would only be a-z, A-Z, and 0-9) is found, and if so, to return an error.
What I've posted is just a common way of blocking a symbol/word/frase, it can be used anywhere in any feild. And it dosen't really have to return to an error - a simple die(); can do it.
But if you're 'aiming for perfection' yes, you would use a regex.
So that would be better than the one you originally said to use? Or does it matter? :P
I'm talking about
Code:function sanitize_data ( $sql ) { return preg_replace( "/[^a-zA-Z0-9 ]/i", "", $sql ); }
That function does it all, great release.
-edit-
Well, that function isn't good enough. Query's will still work.
They will where quotes aren't used - to prevent attacks of that form, you'd have to remove spaces.
Other than that, I didn't test the function at all - if something is escaped improperly, feel free to modify and re-post as needed.
Reply With Quote![[Request]Anti Inject SQL](http://ragezone.com/hyper728.png)