That won't really fix it, you can use websites likeOriginally Posted by jbeitz107
http://apikitchen.com/
To send post and or get to any website.
If you want to fix it, at the top of the script just connect to a mysql database first and run the following php.
Code:foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); }
Last edited by dTantra; 14-09-14 at 12:01 AM.
That won't fix it either, it would be better if everyone use PDO
you don't need to use $_GET. there are other options besides that.
Leaving PDO appart, you can use whatever you want, POST or GET, if you know what are you doing you can fix them both.
Last edited by alxndr; 14-09-14 at 04:06 AM.
agreed alxndr. i am not telling the other part for the fix but, yes i agree. the part i was mentioning simply removes the unnecessary text that is created using the forms in the url. it is only a start for them.
You can also use arrays like:
PHP Code:$dios_options = array(
0 => 'All',
1 => 'Brahma',
4 => 'Shiva',
2 => 'Vishnu',
);
If that does not fix it by escaping all none acceptable characters, then post me the document in question.
Code:(PHP 4 >= 4.3.0, PHP 5) mysql_real_escape_string — Escapes special characters in a string for use in an SQL statementCode:Warning This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:
- mysqli_real_escape_string()
- PDO::quote()
@dTantra all the websites that were released here work with MSSQL not MySQL. If you want to scape characters on MSSQL you must use two single quotes. But the problem here is not exploiting a string variable, instead what is being exploited is an int variable so escaping characters doesn't help to much if the injection method is using HEX as the video above.Code:mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
did they ( owner of the said server ) fixed this already?
If you want it fixed just post to me the script as I don't have or use it and i'll write a fix for everyone else.
@dTantra sorry if i got you mad, that was not my intention. Providing a script to avoid sql injection is not going to help here. Why?. Coz' most of people here don't know how to implement it. Webzonegamerz has a class sql_inject.php that if we get a bit of time to read it we could implement it flawlessly and avoid this kind of problem.
To put a bit of fun to the post the call to this class is commented on the header.php
PHP Code:<?php
//ob_start();
require_once('anti_dos.php');
//require_once('sql_inject.php');
require_once('antishell.class.php');
require_once('Block.php');
require_once('floodshell.php');
//require_once('proxx.class.php');
?>
Why on earth would you think I was mad? I have never looked at or used the script in question, I understand tantra uses mssql, but I figured most websites run off of mysql, that is why I provided an attempted fix that would work off of that mysql. Since it did not solve the problem in question, I was simply asking for someone to post the php file with the problem and I would provide them a proper fix.
Well then, sorry for misunderstanding
Fix problem sql inject only using this tantra BDS
https://www.mediafire.com/?vl1m05zl3nqjafg <<< BDS FIX ORIGINAL
https://www.mediafire.com/?vl1m05zl3nqjafg <<< BDS FIX WEB ZONEGAMERZ
https://www.mediafire.com/?vl1m05zl3nqjafg <<< Using web admin fix news.
regards.
Yes they already did. Are you planning to inject? lmao!
Reply With Quote