if i had a choice i would stop all kind of signatures for Sql injection.. problem.. u can only do so much cause the game engine allows so many characters. to be used
Printable View
if i had a choice i would stop all kind of signatures for Sql injection.. problem.. u can only do so much cause the game engine allows so many characters. to be used
I was not quite right! :eh: the ; is working. So is just the ' left.
So we have to chek this at reg.php site. Should be a minor problem :icon6:
Again, you did really a great job, and this threat must be a sticky. Just look, how many readers you have here! :thumbup:
like i said before.. should reduce.. sql injection by 80%... but there is still ways to hack the website..
some new protections i came up with should solve it.. hehehhe
please help me !
i need the code to edit reset.asp with CHAOS or Creation .That means I need the web page to reset by CHAOS or Creation :3dflagsdo Please sent mail or Attch Files reset.asp for my email : lamhuy998@yahoo.com
Thank you very much :animal_ro
that is sick
John_d,
Thanks for the solution. But i have trouble understanding... I have read the sample and still having problem. Can u be kind enough to show me i sample (the one i uplad) and i can do the rest myself. TIA. :chair:
john_d why when i added the script in my registration script it dropping me always back?: here is the code:
<html>
<head>
<LINK REL="StyleSheet" HREF="style.css" TYPE="text/css">
</head>
<body>
<?PHP include("config.php");
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
?>
<table border="0" cellspacing="0" cellpadding="0" width="480">
<tr>
<td>
<TABLE width="480" height=100% border=0 align=center cellPadding=5 cellSpacing=1 bgcolor="#ffffff">
<TBODY>
<TR bgcolor="#ffffff" class="content">
<TD colSpan=2 align=right> <div align="center" class="bigf Estilo5">
<?php
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
require 'config.php';
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
?>
<?php
$_POST['ps_loginname'] = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
$ps_loginname = stripslashes($_POST['ps_loginname']);
$sqlinject->test($ps_loginname);
$ps_name = stripslashes($_POST['ps_name']);
$sqlinject->test($ps_name);
$ps_email = stripslashes($_POST['ps_email']);
$ps_person_id = stripslashes($_POST['ps_person_id']);
$ps_password = stripslashes($_POST['ps_password']);
$ps_repassword = stripslashes($_POST['ps_repassword']);
$ps_recquest = stripslashes($_POST['ps_recquest']);
$ps_recans = stripslashes($_POST['ps_recans']);
$extcode = stripslashes($_POST['extcode']);
$extcode1 = stripslashes($_POST['extcode1']);
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
$sql_email_check = mssql_query("SELECT mail_addr FROM MEMB_INFO WHERE mail_addr='$ps_email'");
$sql_username_check = mssql_query("SELECT memb___id FROM MEMB_INFO WHERE memb___id='$ps_loginname'");
$email_check = mssql_num_rows($sql_email_check);
$username_check = mssql_num_rows($sql_username_check);
if (empty($ps_loginname) || empty($ps_name) || empty($ps_email) || empty($ps_person_id) || empty($ps_password) || empty($ps_repassword) || empty($ps_recquest) || empty($ps_recans) || empty($extcode) || empty($extcode1)) {
echo "Please fix the following error:<br />Some fields were left blank. Please go back and try again."; $Error=1;
**
elseif (($email_check > 0) || ($username_check > 0)){
echo "Please fix the following errors: <br />";
if($email_check > 0){
echo "<strong>Your email address has already been used by another member
in our database. Please submit a different Email address!<br />";
$Error=1;
**
if ($username_check > 0){
echo "The username you have selected has already been used by another member
in our database. Please choose a different Username!<br />";
$Error=1;
**
**
elseif ($ps_password != $ps_repassword) {
echo "Please fix the following error:<br />The passwords you entered do not match."; $Error=1;
**
elseif ($extcode != $extcode1) {
echo "Please fix the following error:<br />You entered a bad code."; $Error=1;
**
if ($Error!=1){
$msquery2 = "SET IDENTITY_INSERT MEMB_INFO ON";
$msquery3 = "INSERT INTO MEMB_INFO (memb_guid,memb___id,memb__pwd,memb_name,sno__numb,post_code,addr_info,addr_deta,tel__numb,mail_addr,phon_numb,fpas_ques,fpas_answ,job__code,appl_days,modi_days,out__days,true_days,mail_chek,bloc_code,ctl1_code) VALUES ('1','$ps_loginname','$ps_password','$ps_name', '1','1234','11111','ps_person_id','12343','$ps_email','$ps_email','$ps_recquest','$ps_recans','1','2003-11-23','2003-11-23','2003-11-23','2003-11-23','1','0','1')";
$msquery4 = "INSERT INTO VI_CURR_INFO (ends_days,chek_code,used_time,memb___id,memb_name,memb_guid,sno__numb,Bill_Section,Bill_value,Bill_Hour,Surplus_Point,Surplus_Minute,Increase_Days ) VALUES ('2005','1',1234,'$ps_loginname','$ps_name',1,'7','6','3','6','6','2003-11-23 10:36:00','0' )";
$msresults= mssql_query($msquery2);
$msresults= mssql_query($msquery3);
$msresults= mssql_query($msquery4);
?>
</div></TD>
</TR>
<div align="center">
<TR bgcolor="#ffffff" class="content"><TD height=2 colSpan=2 align=center>Your account has been created succesfully:<br></TD></TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Login ID:</DIV></TD>
<TD width="354"><B><?php print "$ps_loginname"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Name:</DIV></TD>
<TD width="354"><B><?php print "$ps_name"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>E-mail:</DIV></TD>
<TD width="354"><B><?php print "$ps_email"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Password:</DIV></TD>
<TD width="354"><B><?php print "$ps_password"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Recovery Question:</DIV></TD>
<TD width="354"><B><?php print "$ps_recquest"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Recovery Answer:</DIV></TD>
<TD width="354"><B><?php print "$ps_recans"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Number:</DIV></TD>
<TD width="354"><B><?php print "$ps_person_id"; ?></B>
<DIV align=center></DIV></TD>
</TR>
</div>
</TABLE>
</td>
</tr>
</table>
</body>
</html>
<?php
**
?>
ok here s the deal..my new website has a token verifier script encoded in every form/s in th website. it will stop anyone from hacking the server.. even without an sql injection script,
stripslashes() only handles ANSI C escapes (ie: will convert a \n to a carriage return / line feed or LF only, depending on platform).
you need to add an extra function there - i can't think of a fast implementation, but something like this should do it:
A) define the following function at the beginning of the php code:
The chars in that array should handle anything that could be an escape for the SQL interpreter that would lead to a crash.Code:function checklegal($var) {
$illegal=array("'","\\",";","/","@","#","$","~","`","%","^","*");
for($i=0;$i<strlen($var);$i++) {
if(in_array($var[$i],$illegal)) return false;
**;
return true;
**;
B) For each field in your code, before executing sql queries, add something like:
In the sample above, $var is each variable passed to the form processor (your php script).Code:if(!checklegal($var)) { die("Illegal character used, please use only A-Z and 0-9"); **;
Another good thing is to check the length of the strings. In order to exec an injection statement, more chars are needed than you need. A 20-char string should be fine enough. So, for string variables (such as username, password, etc), you should be doing something like:
You can also limit their dimension from the HTML form's input parameter, but there's a way to send data to your form processor other than your webpage, so what's safe is safe.Code:if(strlen($var)>20) die("Too many characters");
john_d? where is your site ? i need a site wich cant be hacked by slq injection plz. or help me to fix mine... i posted already the script, whats wrong there?
A variable checker / verifier is all good. and should always be kept inmind when making website.Quote:
Originally Posted by porkmaster
and as for them sending data from another site (CROSS SITE SCRIPTING), i think i have solved it, by token verifying all forms.
- my latest release is here http://www.supamu.info/downloads/Supaman
wich one is best protect, say me wich one couse you wont help me fix my problem, ill download your site :P say just wich is most protected ofrom the sql-injection. tnx
john_d please help please answer.
in sql_inject.php error: Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in c:\AppServ\www\reg\sql_inject.php on line 145
FINALLY I GOT THE ANTI-SQL INJECTION SCRIPT WORKING! 1 more question! i have site reg.php its site with the forms and targeting site is idreg.php so i need to add in idreg.php this lines:
if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
BUT in wich part of it i must add them ? please answer ASAP
Just at the beginning, right after the <? tag.Quote:
Originally Posted by graywolf
i tried it already but then appears the error: Parse error: parse error, unexpected '*' in c:\AppServ\www\reg\idreg.php on line 17
my script:
<?php
if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'hack.htm';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
sure i'm putting the real adress of file not the http://my.website.com/reg.php but why the error appears? answer please asap.
Remove the two asterisks, they're only messing the code. Or comment them by preceding that line with a //.
i deleted them but appeared this error:
Parse error: parse error, unexpected $end in c:\AppServ\www\reg\idreg.php on line 132
without that two lines:
if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
all worked fine, i want make this anti hack too very very much. please help fix. error.
And how should I know what's around line 132 in your script?
Make a paste of lines 125-140 and we'll see where's the trouble.
Here this lines: 125~132:
</td>
</tr>
</table>
</body>
</html>
<?php
**
?>
and i wanted to attach the script to see easier but seems its not working so i uploaded it here: http://r.hopto.org/idreg.zip
reply asap, i am here online. tnx.
What I see in the script you've put above for download is:
at the bottom of the file.Code:<?php
**
?>
However, even if it's a "**" or "**", the last 3 lines should be removed because they don't seem to do anything at all but messing with your code, unless that script is somehow processed by another scrip with evals, which I don't think it's the case, so try removing the last 3 lines too and check out if it works.
Edit: in here it appears as **, but apparently it's about a pair of curly braces.
i deleted last 3 lines: left this
</div>
</TABLE>
</td>
</tr>
</table>
</body>
</html>
but appears same error! By the way, (Returning to the anti-sql injection script) how i understood it just logs the input string like ' ; Drop table Character or something like that, but not stops it, is there any way to stop the action too?, because it just logs the input in a file log_file_sql.log and redirrecting to the hack.htm as you see.. but the action is not stopping for example, i will type ' ; Drop table Character ---, i will be logged in the file like:
"29-12-2004 17:07:23 [\' ; drop table character---] from MY_IP"
Redirrected to the hack.htm and the action still will not be stopped >> Character table will be dropped from the database, is the way to stop the action too ? Sorry if too much questions but i really want to make antihack. Thank you for understanding me.
Here's your fixed file.