[Help]How can i prevent sql injection in my website?

[clinkz123]

help me...i need a guide or web developer in flyff..thats knows how to protect a site....just add me in YM clinkz96@yahoo.com..or just reply here
thankz for advance..

[MentaL]

[Tyrus]

Use this script it's really good and you can't injected any more.
If someone try it the ip will be logged and the injection will be filterd.

Code:

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$script = $_SERVER[PATH_TRANSLATED];
$fp = fopen ("sqlinjections", "a+");
$sql_inject_1 = array(";","'","%",'"'); #Whoth need replace
$sql_inject_2 = array("", "","","&quot;"); #To wont replace
$GET_KEY = array_keys($_GET); #array keys from $_GET
$POST_KEY = array_keys($_POST); #array keys from $_POST
$COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE
/*begin clear $_GET */
for($i=0;$i<count($GET_KEY);$i++)
{
$real_get[$i] = $_GET[$GET_KEY[$i]];
$_GET[$GET_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]]));
if($real_get[$i] != $_GET[$GET_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: GET\r\n");
fwrite ($fp, "Value: $real_get[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_GET */
/*begin clear $_POST */
for($i=0;$i<count($POST_KEY);$i++)
{
$real_post[$i] = $_POST[$POST_KEY[$i]];
$_POST[$POST_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_POST[$POST_KEY[$i]]));
if($real_post[$i] != $_POST[$POST_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: POST\r\n");
fwrite ($fp, "Value: $real_post[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");

fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_POST */
/*begin clear $_COOKIE */
for($i=0;$i<count($COOKIE_KEY);$i++)
{
$real_cookie[$i] = $_COOKIE[$COOKIE_KEY[$i]];
$_COOKIE[$COOKIE_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_COOKIE[$COOKIE_KEY[$i]]));
if($real_cookie[$i] != $_COOKIE[$COOKIE_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: COOKIE\r\n");
fwrite ($fp, "Value: $real_cookie[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");

fwrite ($fp, "==================================\r\n");
}
}

/*end clear $_COOKIE */
fclose ($fp);
?>

[clinkz123]

tnx man..but where should i put that script??

---------- Post added at 09:02 AM ---------- Previous post was at 08:58 AM ----------

how can i contact you??/you have a YM??ill add you....

[Tyrus]

into your register ore/and Login Script

like this

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$script = $_SERVER[PATH_TRANSLATED];
$fp = fopen ("sqlinjections", "a+");
$sql_inject_1 = array(";","'","%",'"'); #Whoth need replace
$sql_inject_2 = array("", "","","&quot;"); #To wont replace
$GET_KEY = array_keys($_GET); #array keys from $_GET
$POST_KEY = array_keys($_POST); #array keys from $_POST
$COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE
/*begin clear $_GET */
for($i=0;$i<count($GET_KEY);$i++)
{
$real_get[$i] = $_GET[$GET_KEY[$i]];
$_GET[$GET_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]]));
if($real_get[$i] != $_GET[$GET_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: GET\r\n");
fwrite ($fp, "Value: $real_get[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_GET */
/*begin clear $_POST */
for($i=0;$i<count($POST_KEY);$i++)
{
$real_post[$i] = $_POST[$POST_KEY[$i]];
$_POST[$POST_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_POST[$POST_KEY[$i]]));
if($real_post[$i] != $_POST[$POST_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: POST\r\n");
fwrite ($fp, "Value: $real_post[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");

fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_POST */
/*begin clear $_COOKIE */
for($i=0;$i<count($COOKIE_KEY);$i++)
{
$real_cookie[$i] = $_COOKIE[$COOKIE_KEY[$i]];
$_COOKIE[$COOKIE_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_COOKIE[$COOKIE_KEY[$i]]));
if($real_cookie[$i] != $_COOKIE[$COOKIE_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: COOKIE\r\n");
fwrite ($fp, "Value: $real_cookie[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");

fwrite ($fp, "==================================\r\n");
}
}

/*end clear $_COOKIE */
fclose ($fp);
?>

//_________________REGISTER SCRIPT________________________

<?php

ini_set('display_errors', 1);

function exist($account){
$sql = "SELECT * FROM ACCOUNT_TBL WHERE account='".$account."'";
$result = mssql_query($sql);
if(!$result) {
die("MSSQL Error");
}
$check = mssql_num_rows($result);
return $check;
}




if(isset($_POST['submit']))
{
$server = "Your PC NAME\SQLEXPRESS";
$user = "";
$pass= "";


$username = $_POST['username'];
$mail = $_POST['email'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$ip = trim(htmlspecialchars($_POST['ip']));



if(strlen($username) < 4 ||
strlen($username) > 16)
{
die("Dein Benutzername ist zu kurz/lang .<br>Er muss zwischen <b><u>4 und 16</u></b> Zeichen lang sein .");
}

if(strlen($_POST['password']) < 4 ||
strlen($_POST['password']) > 16)
{
die("Dein Passwort ist zu kurz/lang .<br>Es muss zwischen <b><u>4 und 16</u></b> Zeichen lang sein .");
}

if($password != $password2)
{
die("Die Passw&ouml;rter stimmen nicht &uuml;berein.");
}

if (preg_match('/[^a-zA-Z0-9]/',$username))
{
die("Der Benutzername enth&auml;lt unerlaubte Zeichen.");
}
if (preg_match('/[^a-zA-Z0-9]/',$password))
{
die("Das Passwort enth&auml;lt unerlaubte Zeichen.");
}
if(strlen($mail) < 4 ||
strlen($mail) > 32)
{
die("Bitte gib deine Email Adresse an.");
}


$conn = mssql_connect($server,$user,$pass);

if(!$conn)
{
die("Verbindung fehlgeschlagen!<br>");
}

$select = mssql_select_db("ACCOUNT_DBF",$conn);

if(!$select)
{
die("Datenbank fehlt! Bitte habe etwas Geduld.<br>");
}


if(exist($username) != '0')
{
die ("Der Benutzername ".$username." wird schon benutzt .");
}

if(exist($mail) != '0')
{
die ("Die Email adresse ".$username." wird schon benutzt .");
}


$username = strtolower($username);

$pw = md5('kikugalanet' . $password);

$ipadress = $ip;


$stmt = mssql_init('dbo.usp_CreateNewAccount', $conn);
mssql_bind($stmt, '@account', $username, SQLVARCHAR, false, false, 15);
mssql_bind($stmt, '@pw', $pw, SQLVARCHAR, false, false, 36);
mssql_bind($stmt, '@email', $mail, SQLVARCHAR, false, false, 120);
$execute = mssql_execute($stmt) or die ("Could not complete the registration. Please try again.");
mssql_free_statement($stmt);


if($execute)
{
echo 'Account wurde <font color="green">erfolgreich</font> erstellt!';
}
else
{
echo 'Account erstellung<font color="red"> fehlgeschlagen</font>!';
}

mssql_close($conn);
}
else
{
//Begin script

?>
<center><font color="#FFFFFF" size="3">
<form action="register.php" method="post">
<table>

<td colspan="2" align ="center">
<tr>
<td align ="right">
Account ID:
</td>
<td>
<input type="text" size="20" name="username" maxlength="15" />
</td>
<td>&nbsp;</td>
</tr>
<tr>
<td align ="right">
Passwort:
</td>
<td>
<input type="password" size="20" name="password" maxlength="32" />
</td>
</tr>
<tr>
<td align ="right">
Passwort wdh.:
</td>
<td>
<input type="password" size="20" name="password2" maxlength="32" />
</td>
</tr>
<tr>
<td align ="right">
Email:
</td>
<td>
<input type="text" size="20" name="email" maxlength="32" />
</td>
</tr>
<tr>
<td>
<input type="hidden" size="20" name="ip" maxlength="32" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>"/>
</td>
</tr>
<tr>
</td>

<td colspan="2" align ="center">
<input type="submit" name="submit" value="Account erstellen" />
</td>
</tr>

</table><br>
<b>Achtung:</b> Versuchte SQL-Injections werden protokolliert<br>und mit deiner IP-Adresse (<?
$ipadresse ="$REMOTE_ADDR";
echo "Deine Ip Adresse: $ipadresse";
?>
) gespeichert!
</form>
</center>
</font>
<?php
}
?>

[FireDuck]

You can use htmlspecialchars(); in your PHP script.

htmlspecialchars($input); will make ' to &#39; etc.

Effective enough.

htmlentities() will also work.

-Fireduck