[PHP] Anti SQL Injection Script

**[N]asser** · 05-06-05

Well, to start things off, this is a modded version of one that was posted by someone else...I forgot his name, but if you search for it, I'm sure you could find it. I've added more things to it to make it more secure and reliable. Here they are:

PHP Code:


// Anti-SQL Injection

function check_inject()

  {

    $badchars = array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-");

  

    foreach($_POST as $value)

    {

      if(in_array($value, $badchars))

      {

        die("SQL Injection Detected\n<br />\nIP: ".$_SERVER['REMOTE_ADDR']);

      **

      else

      {

        $check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE);

        foreach($check as $char)

        {

          if(in_array($char, $badchars))

          {

            die("SQL Injection Detected\n<br />\nIP: ".$_SERVER['REMOTE_ADDR']);

          **

        **

      **

    **

  **

This also works faster by a few mili seconds. This is the first of many PHP releases that I will be making to RaGEZONE. I use this very same script on the KolieMU site (soon to come). I hope you enjoy it.

[N]asser` ~ Out

**MentaL**

**Dorin1** · 05-06-05

wow tnx

**[N]asser** · 05-06-05

No problem.

[N]asser` ~ Out

**[N]asser** · 05-06-05

I've also newly added a new character into the array..."-". If you have this script check for injection on your stats adder, it should stop the - bug.

[N]asser` ~ Out

**DataMatrix** · 05-06-05

I don't know why people continue using this type of anti-sql-inject, I use this:

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	echo("SQL Injection Detected");
**

**themad** · 05-06-05

Originally Posted by DataMatrix

I don't know why people continue using this type of anti-sql-inject, I use this:

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	echo("SQL Injection Detected");
**

hahhahaha hahahaha that Echo will not protect a thing :)

**Nemesiz** · 05-06-05

we can change echo("SQL Injection Detected"); to die("SQL Injection Detected");

**messmaker** · 06-06-05

But i Didnt Understand How i put this :( Where need to do somthing?

**DataMatrix** · 06-06-05

Hmm, it echo does the job on my server, but thanks for the tip, i'll change to die.

Originally Posted by themad

hahhahaha hahahaha that Echo will not protect a thing :)

PS: Was there any need in that big gay ass laugh?

**[N]asser** · 06-06-05

Yea, it was fun. By the way, this script is very effective, even though very simple.

[N]asser` ~ Out

**Nemesiz** · 06-06-05

to protect from sql injection i think need to make check of length of login and password

**[N]asser** · 06-06-05

Originally Posted by Nemesiz

to protect from sql injection i think need to make check of length of login and password

Why? You know what injection is right? Here's an example...in a form that submits to your db, for example your login you put this:

Username: bob; DROP TABLE Character;

Yea, that's bascially it and that's what my script protects you against.

[N]asser` ~ Out

**fancy** · 06-06-05

Originally Posted by DataMatrix

I don't know why people continue using this type of anti-sql-inject, I use this:

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	echo("SQL Injection Detected");
**

don't u think u should u use exit() ?

Code:

if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {
	echo("SQL Injection Detected");
        exit();
**

exit() stops the script. So after detecting sql injection script stops and nothing happens :P~

**Nemesiz** · 06-06-05

[N]asser "bob; DROP TABLE Character;" its 26 simbols. Username max is 10 simbols. Event is player enter his name "mylonglongname" its 14 simbols. SQL insert only 10. To protect from sql injection and bugs username need to be checked using eregi("[^a-z0-9_-]", $memb___id) (is you use big letters you make a bug).
If player want to use username "drop" your $badchars = array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-"); dont helps to him.

fancy want do you think die() do ?

**DataMatrix** · 06-06-05

die stops the script too, like echo then exit.

**themad** · 06-06-05

or just this

PHP Code:


if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {

    die("<font color=red><b>SQL Injection Detected</font</b>");

**

**messmaker** · 06-06-05

[I REPEAT]But i Didnt Understand How i put this Where need to do somthing?

**Nemesiz** · 06-06-05

Try to learn php

**[N]asser** · 06-06-05

Originally Posted by messmaker

[I REPEAT]But i Didnt Understand How i put this Where need to do somthing?

Put the code I gave you in a page and save it as functions.php...Then on whichever page you want to call the script, use this:

PHP Code:


include_once('functions.php');

check_inject();

That's about it.

[N]asser` ~ Out

**messmaker** · 06-06-05

Quote:
Originally Posted by messmaker
[I REPEAT]But i Didnt Understand How i put this Where need to do somthing?

Put the code I gave you in a page and save it as functions.php...Then on whichever page you want to call the script, use this:

PHP Code:
include_once('functions.php');
check_inject();

But tell me I understand i put in a page with that script whit named functions Php but.... this i didn't understand
PHP Code:
include_once('functions.php');
check_inject();

**[N]asser** · 06-06-05

You put that code on any page that you want to check for injection.

[N]asser` ~ Out

PS - themad, you mean this, right? :

PHP Code:


if ((eregi("[^a-zA-Z0-9_-]", $memb___id)) || (eregi("[^a-zA-Z0-9_-]", $memb__pwd))) {

    die("<font color=red><b>SQL Injection Detected</b></font>");

**

Just to let you know, this isn't a PHP tip, it's html...you should try to end the tag that you started last first...like this: and not <font

**Nemesiz** · 06-06-05

Warning !
((eregi("[^a-zA-Z0-9_-]", $memb___id)) == bug in your database
need to use only low letter and digits
((eregi("[^a-z0-9_-]", $memb___id))

Becouse in one table A != a and in another A == a

**[N]asser** · 07-06-05

Be specific. Which tables?

[N]asser` ~ Out

**DataMatrix** · 07-06-05

It seemed to work perfectly with uppercase on my server...

**solteykr** · 07-06-05

First problem:
Characters with the negative sign in his/her character name will not be able to get in your website.

Second Problem:
If I use lowercase, I can still inject. (I think :P)

FIX:
(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "drop", "select", "update", "delete", "WHERE", "where", "-1", "-2", "-3" "-4", "-5", "-6", "-7", "-8", "-9",);

Now its really secured, plus characters name with "-" can still log in your site, and your stats adder is still protected.

P.S.
Thanks for the credit thingy u posted in your
[Release][SQL] Negative Money Fix
I Love You MAN! :D

[PHP] Anti SQL Injection Script

Thread Tools

Search Thread

[PHP] Anti SQL Injection Script

Advertisement