Website PHP Mssql records inject hacker?

[cheaterastic]

Hi guys, let talk about from Website PHP and Mssql records.

Now,
From my PHP
I put:
$account = mssql_query("SELECT * FROM Login WHERE UserID='$userid'");

do they can get the password from 'Password ColumnName'?
because there is an hacker in my server and he got my Password, maybe he inject something, he knows my password, or maybe he keep finding my password..

so I changed to:
$account = mssql_query("SELECT UserID,AID FROM Login WHERE UserID='$userid'");

- - - - - - - - -

My question is, do they can get my password from
$account = mssql_query("SELECT * FROM Login WHERE UserID='$userid'");

[MentaL]

[Secured]

why not just filter sql injections in each of ur queries?

PHP Code:

function anti_injection($sql) {
   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
   $sql = trim($sql);
   $sql = strip_tags($sql);
   $sql = addslashes($sql);
   return $sql;
}

if(isset($_GET['action']) && ($_GET['action'] == "login")){

    $user = anti_injection($_POST['user']);
    $pass = anti_injection($_POST['pass']);
    $account = mssql_query("SELECT * FROM Login WHERE UserID='$user'");
}
// this is what i would use i did this from the top of my head and the sql injection thing i i remember from one of the registration pages here. 


[Dave]

You can also use this function: (didn't test it, just made it now in the quick reply box.)

PHP Code:

function clean($value)
{
  return str_replace(array("'", '"', ";", "%22", "%27", "-", "*"), "", $value);
}

$user = clean($_POST['user']); 


Oh and using * or specified columns in your query doesn't matter for SQL injection. By SQL injecting I could still get data out of the other columns.

[SecretsOThePast]

sql server - How to escape strings in MSSQL using PHP? - Stack Overflow

[emisand]

Don't use that stupid anti sql injection.
The best way to get rid of sql injection is Prepared Statements, or calling stored procedures with mssql_init and mssql_bind.

PHP: mssql_init - Manual
PHP: mssql_bind - Manual
PHP: mssql_execute - Manual

[Vusion]

Don't use that stupid anti sql injection.
The best way to get rid of sql injection is Prepared Statements, or calling stored procedures with mssql_init and mssql_bind.

PHP: mssql_init - Manual
PHP: mssql_bind - Manual
PHP: mssql_execute - Manual

Although you're being ignorant, but oh well, you're somehow right. But that doesn't mean that Dave's function does not work.

[Dave]

Well... replacing certain signs in a value with nothing is not a nice way to prevent it but it does the job.

The best way would be to check if the value only contains A-Za-z0-9 and not any other stuff.
And to check if a value is a number you could use ctype_digit.

Oh and removing words of a value is kinda useless.
Example: uniunionon
If the anti sql function removes "union" then "union" will be left.

[Vusion]

Well... replacing certain signs in a value with nothing is not a nice way to prevent it but it does the job.

The best way would be to check if the value only contains A-Za-z0-9 and not any other stuff.
And to check if a value is a number you could use ctype_digit.

Oh and removing words of a value is kinda useless.
Example: uniunionon
If the anti sql function removes "union" then "union" will be left.

As lifeless said, can be fixed with a loop.

[Dave]

As lifeless said, can be fixed with a loop.

Depends how many times he's looping through it and how many times he's removing the bad words.
If he's looping through the value 4 times then it's still bypassed with uniuniuniuniuniunionononononon and so on.

The hacker still needs to find out how many times it's looping through it and which words are being removed. It's still a nasty solution though. :>

We need mssql_real_escape_string or MSSQLi lolz.

[alfredao]

PHP Code:

    public function cleanString($string)
    {
        $string = str_replace(array("from", "select", "update", "insert", "delete", "drop"), "", $string);
        return $string;
    }

    public function Clean($string)
    {
        while (preg_match("/(from|select|update|insert|delete|drop|#|\*|--|\\\\)/", $string))
            $string = cleanString($string);

        return $string;
    }

echo Clean("whwhereewherere upupdatedaupdatete drdropodropp"); 


[Dave]

PHP Code:

    public function cleanString($string)
    {
        $string = str_replace(array("from", "select", "update", "insert", "delete", "drop"), "", $string);
        return $string;
    }

    public function Clean($string)
    {
        while (preg_match("/(from|select|update|insert|delete|drop|#|\*|--|\\\\)/", $string))
            $string = cleanString($string);

        return $string;
    }

echo Clean("whwhereewherere upupdatedaupdatete drdropodropp"); 


That's more like it but strtolower($string) also needs to be added because else DROP DATABASE GunzDB will still work.
Bad thing is that all the data will be in lower cases (unless you modify the function of course.)

[alfredao]

Just add strtolower() in subject of preg_match

PHP Code:

<?php

preg_match([pattern], strtolower($string));