How NOT to be SQL Injection Vulnerable...

[Mootie]

Tired of seeing every flyff private server with such low security.

Step 1. Make a file called functions.php
Put this code inside it.

PHP Code:

function mssql_escape($str){
    $str = htmlentities($str);
    if (ctype_alnum($str)) 
        return $str;
    else
        return str_ireplace(array(';', '%', "'"), "", $str);   
} 


Then, put this at the beginning of every stand-alone php file on your site(ones that aren't linked to index.php).

PHP Code:

include 'functions.php';
foreach ($_GET as $key=>$getvar){ $_GET[$key] = mssql_escape($getvar); }
foreach ($_POST as $key=>$postvar){ $_POST[$key] = mssql_escape($postvar); } 


That's it. There are a lot of other methods of this, array_map, hex packing, individualized sanitizing functions, etc. I wrote that on the spot so feel free to correct anything.

If you want to let people use ' or any other special characters, you probably want to look into a function like this:

PHP Code:

    function mssql_escape($data) {
        if(is_numeric($data))
            return $data;
        $unpacked = unpack('H*hex', $data);
        return '0x' . $unpacked['hex'];
    } 


which ends up being a lot cleaner of a solution, but they both work fine for me. I'm not sure if it works in ODBC, which is what I use now, but feel free to use it on direct mssql connections.

Enjoy.

[MentaL]

[ecKo9321]

great tutorial moots.

[Mootie]

Lazy tutorial xd.

[Detox]

LoL, i though it were awsome ;o.

Law uh mootie, lol :P

[MisterKid]

guess these server where lazy to google it lol nice mootie

[oOBlissOo]

uhm thanks? There is a lot better way out there. But that's a nice n simple way ^_^ on a scale of 1-10 that's about a 4 on the vulnerability scale.

[Lemons]

Lazy tutorial xd.

Its good enough to understand :P

[Mootie]

uhm thanks? There is a lot better way out there. But that's a nice n simple way ^_^ on a scale of 1-10 that's about a 4 on the vulnerability scale.

If it is a 4 on the vulnerability scale, why hasn't anyone exploited DemonFlyFF's input fields?

Show me a string that can get passed this filter. If there is no string that can, it is invulnerable.

[oOBlissOo]

lolz i can think of 3 that will disable the character table = full wipe ^_^

[reflax]

If it is a 4 on the vulnerability scale, why hasn't anyone exploited DemonFlyFF's input fields?

Show me a string that can get passed this filter. If there is no string that can, it is invulnerable.

Would you like to be proven wrong? and no I do not mean simply posting an example, because if I am going to take the time then I will have to show you that its doable.

I really despise people that just because they think something of theirs is secure they say its impossible.

[darkesthour123]

lolz i can think of 3 that will disable the character table = full wipe ^_^

Pfft what do you know. Mootie tryed helping others with a simple, quick and effective way to prevent the simple sql vulnerabilities. He gets flamed for helping people, epic. Then you get fags like you thinking your clever. Sanitizing $post cant be a tedious job thats why this is easy and quick because it uses an array. Now Just gtfo. Mootie just don't release anything. No point on flamezone,leachzone or w/e you want to call it.

[TheGrea]

thanks for this

[Blackbox]

Pfft what do you know. Mootie tryed helping others with a simple, quick and effective way to prevent the simple sql vulnerabilities. He gets flamed for helping people, epic. Then you get fags like you thinking your clever. Sanitizing $post cant be a tedious job thats why this is easy and quick because it uses an array. Now Just gtfo. Mootie just don't release anything. No point on flamezone,leachzone or w/e you want to call it.

And you flaming a flamer is any better..... how?


OT;

Nice tutorial mootie, effective enough for most servers out there :)

[oOBlissOo]

i wasnt flaming but letting people know that this script is good for keeping noob - semi good hackers back but pros will find away around it thats why i posted next time i wont say anything and let u guys put in the scripts not knowing if its hackable <_<

[biasaf]

Hmm my code luks like that :

<?php include 'functions.php';
foreach ($_GET as $key=>$getvar){ $_GET[$key] = mssql_escape($getvar); }
foreach ($_POST as $key=>$postvar){ $_POST[$key] = mssql_escape($postvar); }?>
<? SetTitle("Fly for Sanity - Register"); ?>

in the first beginning of the page..
yet in the register page i have this function mssql_escape($str){ $str = htmlentities($str); if (ctype_alnum($str)) return $str; else return str_ireplace(array(';', '%', "'"), "", $str); }
and the register table..

whats wrong o-o

[Mootie]

i wasnt flaming but letting people know that this script is good for keeping noob - semi good hackers back but pros will find away around it thats why i posted next time i wont say anything and let u guys put in the scripts not knowing if its hackable <_<

You, my good sir, are a moron. You cannot sql inject into a $_POST variable without '.(assuming people use quoted variables). This aint mysql. GG.

Hmm my code luks like that :

<?php include 'functions.php';
foreach ($_GET as $key=>$getvar){ $_GET[$key] = mssql_escape($getvar); }
foreach ($_POST as $key=>$postvar){ $_POST[$key] = mssql_escape($postvar); }?>
<? SetTitle("Fly for Sanity - Register"); ?>

in the first beginning of the page..
yet in the register page i have this function mssql_escape($str){ $str = htmlentities($str); if (ctype_alnum($str)) return $str; else return str_ireplace(array(';', '%', "'"), "", $str); }
and the register table..

whats wrong o-o

I'm sorry if I didn't make it clear, put the mssql_escape($str){...} code into the functions.php file. ^^ Try then and see if you continue to have issues. I'm going to write a guide on the perfect antisql injection escape function soon.(It will allow %, ;, and even ' to pass into the database 100% safely.)

[biasaf]

You, my good sir, are a moron. You cannot sql inject into a $_POST variable without '.(assuming people use quoted variables). This aint mysql. GG.



I'm sorry if I didn't make it clear, put the mssql_escape($str){...} code into the functions.php file. ^^ Try then and see if you continue to have issues. I'm going to write a guide on the perfect antisql injection escape function soon.(It will allow %, ;, and even ' to pass into the database 100% safely.)

I did put the first code in a php..
maybe i need <?php tags too? >.<

And people leave HIM/HER alone !
you shouldn't comment on everything - unless you really gonna use it.
so dont complain and say thanks !
if you wanna fight - this is not the forum for it =D

[oOBlissOo]

lawl mootie seriusly do u know how to inject? and if u do do u know every way? and if u do, then u know this script cant stop the really good ones

but most likley u think u do and u think this script is that good
its really not ^_~

[CupCake]

And you flaming a flamer is any better..... how?


OT;

Nice tutorial mootie, effective enough for most servers out there :)

indeed /ridicule

[biasaf]

nvm fixed it =]
php tags were missing ^^

[bkaddict20]

Sir the 2nd script is just for register script only? not for "user online script or anything else?"^^

[heathj]

lawl mootie seriusly do u know how to inject? and if u do do u know every way? and if u do, then u know this script cant stop the really good ones

but most likley u think u do and u think this script is that good
its really not ^_~

you keep mentioning "the really good injection strings" but dont quote any for proof, if you were confident it could be injected you would say "nice simple anti injecetion function, but this (sql injecion here) would still work"

if someone wanted to do damage to a server they would look for exploits in uploading a shell, not look for ways to truncate a database as any good server owner would have regular backups, (i know you can sql inject to upload a shell but most people on the flyff scene use it trunacte)

anyhow, nice simple script mootie should keep some annoyance from the less scure server owners

[Detox]

Sir the 2nd script is just for register script only? not for "user online script or anything else?"^^

Stop necroposting.

Why does new people never manage to read the rules, here they are:
http://forum.ragezone.com/f71/forum-rules-101410/

[LMC]

Hey thanks for this mate. so is this actually 100% secure? Like NO way at all could someone inject?? Cause people above said the pros could still get round it. Oh and btw sorry if this is an old thread, I just wanted to ask.

EDIT: Does this work with MYSQL? Or only mssql?

[BGxApixen]

MSSQL.
Read the functions
mssql_etc_etc