[N]asser VI_CURR_INFO
Printable View
[N]asser VI_CURR_INFO
or use strtoupper() function:Quote:
Second Problem:
If I use lowercase, I can still inject. (I think :P)
FIX:
(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "drop", "select", "update", "delete", "WHERE", "where", ...
Code:if(in_array(strtoupper($value), $badchars))
{
die("SQL Injection Detected");
**
But what if I write "-01" ??? ;]Quote:
"-1", "-2", "-3" "-4", "-5", "-6", "-7", "-8", "-9"
run an sql script to convert all "-" to "_", or use a different sanitization function on your site for the stats fields and everything else.. if you do convert the accountIDs, make sure you tell the script to first check for the resulting name (eg, if it is about to convert the name "-player-", it should check for the existence of an account "_player_" and, if it exists, log the match and skip that user, for it to be manually taken care of...)Quote:
Originally Posted by solteykr
not if your script converts all input to lowercase first :tongue2:Quote:
If I use lowercase, I can still inject. (I think :P)
Then you can just use:
;)Quote:
FIX:
(";", "'", "\"", "*", "drop", "select", "update", "delete", "where", "-0", "-1", "-2", "-3" "-4", "-5", "-6", "-7", "-8", "-9",);
always nice when that stuff happens hey :DQuote:
P.S.
Thanks for the credit thingy u posted in your
[Release][SQL] Negative Money Fix
I Love You MAN! :D
Auto-Reset solves the problems with SQL injection??
!!Jin!! no.
To protect SQL from injection i thinking about checking is or not " "
array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-"); - i dont think what this is good way to protect.
Anyway everyone do like he want.
hm just by restricting the ";" simbol is enough
php uses the ; simb. to recognize where the command line has ended and is time to execute the command..without that nothing can be done ;-)
Nemesiz:
And firewall protection??
Firewall protect from SQL invection to database.exe
To protect website you need to check incoming data
Nemesiz:
Have as you to verify the Website of the FragFrog for example?
I am using it, and as I do not understand of Anti-SQL Injection, he would like to know if you find some error, or some solution, I believe that is simple for you that understands of the subject, correct?
Thread:
http://forum.ragezone.com/showthread.php?t=52802&page=1
Sorry for perturbation, sorry for bad english, and Thanks for all.
I think that many people are with the same doubt that I, since it is a Release.
Thnx.
I use myself maded protections.
I`m creating website too. But its only remote. If you want to see look at http://general.muonline.lt:11001/mu-pr/server,1 for example
If you want to see others servers using this website change server,1 to server,number like server,2 server,3 and so on
Humm, check this:
Good Protection?Quote:
<?PHP
class sql_inject
{
/**
* @shortdesc url to redirect if an sql inject attempt is detect. if unset, value is FALSE
* @private
* @type mixed
*/
var $urlRedirect;
/**
* @shortdesc does the session must be destroy if an attempt is detect
* @private
* @type bool
*/
var $bdestroy_session;
/**
* @shortdesc the SQL data currently test
* @private
* @type string
*/
var $rq;
/**
* @shortdesc if not FALSE, the url to the log file
* @private
* @type mixed
*/
var $bLog;
/**
* Builder
*
* @param bool bdestroy_session optional. does the session must be destroy if an attempt is detect?
* @param string urlRedirect optional. url to redirect if an sql inject attempt is detect
* @public
* @type void
*/
function sql_inject($mLog=FALSE,$bdestroy_session=FALSE,$urlRedirect=FALSE)
{
$this->bLog = (($mLog!=FALSE)?$mLog:'');
$this->urlRedirect = (((trim($urlRedirect)!='') && file_exists($urlRedirect))?$urlRedirect:'');
$this->bdestroy_session = $bdestroy_session;
$this->rq = '';
**
/**
* @shortdesc test if there is a sql inject attempt detect
* test if there is a sql inject attempt detect
*
* @param string sRQ required. SQL Data to test
* @public
* @type bool
*/
function test($sRQ)
{
$sRQ = strtolower($sRQ);
$this->rq = $sRQ;
$aValues = array();
$aTemp = array(); // temp array
$aWords = array(); //
$aSep = array(' and ',' or '); // separators for detect the
$sConditions = '(';
$matches = array();
$sSep = '';
// is there an attempt to unused part of the rq?
if (is_int((strpos($sRQ,"#")))&&$this->_in_post('#')) return $this->detect();
// is there a attempt to do a 2nd SQL requete ?
if (is_int(strpos($sRQ,';'))){
$aTemp = explode(';',$sRQ);
if ($this->_in_post($aTemp[1])) return $this->detect();
**
$aTemp = explode(" where ",$sRQ);
if (count($aTemp)==1) return FALSE;
$sConditions = $aTemp[1];
$aWords = explode(" ",$sConditions);
if(strcasecmp($aWords[0],'select')!=0) $aSep[] = ',';
$sSep = '('.implode('|',$aSep).')';
$aValues = preg_split($sSep,$sConditions,-1, PREG_SPLIT_NO_EMPTY);
// test the always true expressions
foreach($aValues as $i => $v)
{
// SQL injection like 1=1 or a=a or 'za'='za'
if (is_int(strpos($v,'=')))
{
$aTemp = explode('=',$v);
if (trim($aTemp[0])==trim($aTemp[1])) return $this->detect();
**
//SQL injection like 1<>2
if (is_int(strpos($v,'<>')))
{
$aTemp = explode('<>',$v);
if ((trim($aTemp[0])!=trim($aTemp[1]))&& ($this->_in_post('<>'))) return $this->detect();
**
**
if (strpos($sConditions,' null'))
{
if (preg_match("/null +is +null/",$sConditions)) return $this->detect();
if (preg_match("/is +not +null/",$sConditions,$matches))
{
foreach($matches as $i => $v)
{
if ($this->_in_post($v))return $this->detect();
**
**
**
if (preg_match("/[a-z0-9]+ +between +[a-z0-9]+ +and +[a-z0-9]+/",$sConditions,$matches))
{
$Temp = explode(' between ',$matches[0]);
$Evaluate = $Temp[0];
$Temp = explode(' and ',$Temp[1]);
if ((strcasecmp($Evaluate,$Temp[0])>0) && (strcasecmp($Evaluate,$Temp[1])<0) && $this->_in_post($matches[0])) return $this->detect();
**
return FALSE;
**
function _in_post($value)
{
foreach($_POST as $i => $v)
{
if (is_int(strpos(strtolower($v),$value))) return TRUE;
**
return FALSE;
**
function detect()
{
// log the attempt to sql inject?
if ($this->bLog)
{
$fp = @fopen($this->bLog,'a+');
if ($fp)
{
fputs($fp,"\r\n".date("d-m-Y H:i:s").' ['.$this->rq.'] from '.$this->sIp = getenv("REMOTE_ADDR"));
fclose($fp);
**
**
// destroy session?
if ($this->bdestroy_session) session_destroy();
// redirect?
if ($this->urlRedirect!=''){
if (!headers_sent()) header("location: $this->urlRedirect");
**
return TRUE;
**
function protect1($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[a-zA-Z0-9@]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
** else {
//echo "-";
echo $protected;
die ( ' Is invalid for that spot, please try a different entry.' ); // Message if thier is any characters not in [a-zA-Z0-9].
** // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
** // ends the function Protect() {
function protect2($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[0-9]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
** else {
//echo "-";
echo $protected;
die ( ' Is invalid for that spot, please try a different entry.' ); // Message if thier is any characters not in [a-zA-Z0-9].
** // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
** // ends the function Protect() {
**
?>
I don't understand Anti-SQL Injection Codes.
It looks fine to me. By the way, you can't inject if you use lower case...well, you could, but you can't inject if you can't use ';' anyways...the others are for back up, but yea, i can use that function to also check the lower case of everything in the array.
[N]asser` ~ Out
PS - Np, dude. I had to credit you because you reminded me :)
If you have stats adder in your website, then it will not be protected from the "Stats Adder Bug".Quote:
Originally Posted by themad
The negative sign "-" is used to perform this bug. you must include the "-", but problem comes with the players name, so to allow players to add stats, we use "-0"..... "-9" instead.
Anyways, every body have his own opinion. so, goodluck!
You will never protect a web with any of that scripts :)
Trust be because i used them and that stop just the kids injectors ;)
You need to determinte every variable to dabatase , i will give some examples later
Your method works too, but I still don't see why you can't make '-' illegal and preform a query that changes every '-' in the db to '_'...Quote:
Originally Posted by solteykr
Anyways, your will work too..
[N]asser` ~ Out
this ";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-" is crap (also if you add -1 etc)
do you know what this is ?
O2Ryb3AgdGFibGUgQ2hhcmXXXXXX 6 last letters removed.
its
;drop table Character
in XSS do you see any strange symbols ?.. nah so this kind of sql protection is useless read about CSS,XSS
Try this noobs : http://phpclasses.promoxy.com/browse/package/2189.html
PHP Input Filter
And one tip: SQL Injects can be fixed very simple, with one 1 hour of rtfm. The problem of the people here is the mass stupidity, but nobody try to learn how code your own scripts, or how fix it...
i dont know how to do it :(
u can give file or something?
No, read, try learn php first: http://us.php.net/manualQuote:
Originally Posted by dada112
I posted how to use it a few posts back...Look back and you should see it.Quote:
Originally Posted by dada112
[N]asser` ~ Out
This should be added to the registration form in that case using explodeQuote:
Characters with the negative sign in his/her character name will not be able to get in your website.
Quite wrong, if you use my stats adder page you ARE protected from this bug because I already build in an extra check to detect negative amounts, and in that case returns an error. Problem is my original stats adder release didn't have that function and nobody seemed to bother to download the newer version (though it is build into my website release).Quote:
Originally Posted by solteykr
Anyway, I've seen many good scripts here, [N]asser's original one should work seeing how PHP indeed needs the ';' sign to close a code line, the rest is just extra safety I suppose. In any case implemented it into my new website, great work guys! :)
Bah.........
yuo leam n00bz!!!!!!!!!!!!!!!!!!!!
ma new scritp wlil PWN yuor azes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
PHP Code:function clean_variable($var) {
$newvar = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $var);
return $newvar;
**
lolz
just clean ur variables.. does really matter wat they put in..
example they put in
$variable = "ihack= 86$noob";
if u
$variable = clean_variable($variable);
result will be
$variable = "ihack86noob";
well wats so bad about the new variable now. :) lol
have fun
Doesn't work.Quote:
Originally Posted by kicok