Hmm
Where i need to put it?
Thanks..
Hmm
Where i need to put it?
Thanks..
command for string to lower case
http://us3.php.net/strtolower
Example 1. strtolower() example
<?php
$str = "Mary Had A Little Lamb and She LOVED It So";
$str = strtolower($str);
echo $str; // Prints mary had a little lamb and she loved it so
?>
Note: This function is binary-safe.
![[N]asser's Avatar](https://forum.ragezone.com/customavatars/avatar70944_2.gif "[N]asser's Avatar"){kind=avatar}
Look at the first few posts..there is a guide there.Originally Posted by bigbug2004
[N]asser` ~ Out
nice to see u all working to solve the SQL Injection problems but..
i damn put all shits in all the files work with sql .. but lollllllllllll after all they hacked my again (PHP).
Hmmmmmmmmmm........ 5 monts running with the same protection and no problems and now its fucked up.... today :
1st drop table character .. lol
2nd update character set ctlcode='1'
okay ..normal injections...allthough i though the page is secured but here is what really bugged me ... the hacker turned off my sql server loL! hah thats smh new to me ..
here is what security i am using..
this is included in all filesCode:$xa = getenv('REMOTE_ADDR'); $badwords = array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "drop", "select", "update", "delete", "WHERE", "where", "-1", "-2", "-3" "-4", "-5", "-6", "-7", "-8", "-9","-","-0"); foreach($_POST as $value) foreach($badwords as $word) if(substr_count($value, $word) > 0) die("Security Warning!<br />Forbidden simbols are included, please remove them and try again -> $xa");
all files including this too .. and using the functionCode:<?php function check_inject() { $badchars = array(";","'","*","/"," \ ","DROP", "SELECT", "UPDATE", "DELETE", "drop", "select", "update", "delete", "WHERE", "where", "-1", "-2", "-3","-4", "-5", "-6", "-7", "-8", "-9",); foreach($_POST as $value) { $value = clean_variable($value); if(in_array($value, $badchars)) { die("SQL Injection Detected - Make sure only to use letters and numbers!\n<br />\nIP: ".$_SERVER['REMOTE_ADDR']); ** else { $check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE); foreach($check as $char) { if(in_array($char, $badchars)) { die("SQL Injection Detected - Make sure only to use letters and numbers!\n<br />\nIP: ".$_SERVER['REMOTE_ADDR']); ** ** ** ** ** function clean_variable($var) { $newvar = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $var); return $newvar; ** ?>
this is from fragfrogs web page
i have included this in every php which injects data in sql but still....... I am fucking screwed up again ;\Code:if ((eregi("[^a-zA-Z0-9_-]", $ps_loginname)) || (eregi("[^a-zA-Z0-9_-]", $ps_name)) || (eregi("[^a-zA-Z0-9\.@_-]", $ps_email)) || (eregi("[^a-zA-Z0-9_-]", $ps_person_id)) || (eregi("[^a-zA-Z0-9_-]", $ps_password)) || (eregi("[^a-zA-Z0-9_-]", $ps_repassword)) || (eregi("[^a-zA-Z0-9_-]", $ps_recquest)) || (eregi("[^a-zA-Z0-9_-]", $ps_recans)) || (eregi("[^a-zA-Z0-9_-]", $extcode)) || (eregi("[^a-zA-Z0-9_-]", $extcode1)) ) { echo("Im terribly sorry but only letters (a-Z) and nums (0-9) are allowed"); exit(); **
Are you using the function to check all the data that's inserted to the MSSQL?
If you ain't, then it's of no use. You include the functions, but didn't call it. What website kit are you using? Maybe i can help you edit. Or better, go get FragFrog [ don't mind if i get your name wrong ]'s FrogMU website kit. Can't find it? Use the holy grail. The search button.
blah whatever.. the problem was not in $_POST but in $_REQUEST :D
btw lol
if ((eregi("[^a-zA-Z0-9_-]", $ps_loginname)) || (eregi("[^a-zA-Z0-9_-]", $ps_name)) ||
(eregi("[^a-zA-Z0-9\.@_-]", $ps_email)) ||
(eregi("[^a-zA-Z0-9_-]", $ps_person_id)) ||
(eregi("[^a-zA-Z0-9_-]", $ps_password)) ||
(eregi("[^a-zA-Z0-9_-]", $ps_repassword)) ||
(eregi("[^a-zA-Z0-9_-]", $ps_recquest)) ||
(eregi("[^a-zA-Z0-9_-]", $ps_recans)) ||
(eregi("[^a-zA-Z0-9_-]", $extcode)) ||
(eregi("[^a-zA-Z0-9_-]", $extcode1)) )
{
echo("Im terribly sorry but only letters (a-Z) and nums (0-9) are allowed");
exit();
**
this is where there are any $_POTS actions lollolol.. even if i dont include the function lmao.. :D itz from JD
Last edited by themad; 06-08-05 at 09:12 AM.
lolz.. u guys are still concernd about secutity with web pages?
i posted it 1 month ago :D
Incase you thin you might of missed soemthing make sure tyour server cant accept external forms check REMOTE_ADDR,HTTP_REFERER also it will bypass some of those scripts if they encode the data first.
But i dont program php just asp so toodloo :P ide help ya furthe rif i culd
to summarise sql injection.
HOW THEY CAN INJECT
1. tru website forms
possible solutions:
- use a javascript validator for each for item
- use a unique session id to be verified in the the forms action page
- use simple form validation techinque like preg_match with preg_replace
- use a image verify script
- check refferal address, if address is not ur website, then stop
2. Variables that are used in Sql Queries
Possible solutions:
- Use preg_replace to remove unwanted elements
- use sql query syntax analyser
- register_globals off
that's it..
btw: all bold letters solution is wat in used in mutoolz.. it doesnt need much protection
k i still dont got no idea how to do it.. i get the code.. save as functions.php.. but wut about the calling code? where do i put it?? i'm using mutoolz... where??? index.php? config.php? i'm getting sql injected all the time.. i ven had to close my registrations so no1 could get in after i ban him.. where do i put that calling code??? that my dout.. i dont get it.. i tryed to put on index.php.. and i get tons of errors... or do i need to add it in a expecific place??? plz HELP me!!!
Tank you Very Much man!!!!!!
anyone got a mutoolz version that is sql-injection protected?
u crazy.. lolz.. mutoolz doesnt need sql injection protection.
tnx very good i'm try it ....
Does this go in the loader? Email me at johnson13619@yahoo.com
add tolower() ^^ and don't bore with DROP & drop... etc... just
The best anti-injection system for each web is different, for your's i can offer anti-injection with eregi();
doesnt work
Reply With Quote