sql injection

[gaseline11]

people are hacking my private server using sql injection on my website :S
does somebody know way to protect the website against that?
i already searched on google and on the forum but i cant find anything at ragezone and everything i found on google was to difficult.. i don't understand a word of that tutorials...

so, can somebody please tell me how to protect my website against sql injection???

 

[zebra]

Take all your web files and copy them to some "JASKFJALSHGA" folder and then make a more safe register page so people can still register, and problem solved.

 

[gaseline11]

huh? but when i put all the files in a new folder it can't open my index.php right? and if i link to the map where the files are it shows the map in the adressbar so i don't think that is going to work lol

 

[BBim]

huh? but when i put all the files in a new folder it can't open my index.php right? and if i link to the map where the files are it shows the map in the adressbar so i don't think that is going to work lol

Lol, what he meant was delete your website and create a new that is 100% safe.

 

[FrostElite]

Try checking this out

You must be registered to see links

 

[GlaphanKing]

SQL injection is a witch to get around in some cases but if you are smart and educated, meaning read all articles on the subject, you will stop script kiddies dead in their tracks.

 

[Mootie]

It's not too hard to block 95% of them. The most vicious ones aren't that hard to block, due to being able to replace strings, such as those with words like DROP with a space (which you can make the whole value = null when the string contains a space).

 

[gaseline11]

@ FrostElite: i found that link earlier but i don't understand where i have to put that code :S

@ mootie: you mean that i just have to put some spaces in the places where they use sql injection and then they can't change the script anymore?

 

[Reimniess]

stuff like this happens all too often for how easy it is to fix

 

[gaseline11]

yea.. but HOW can i fix this? D:

 

[MatreX]

Its simple: Learn Object Oriented PHP and use the new MySQL_improved. Then just make sure you trim() user input and verify it to the database before anything happens.

 

[gaseline11]

Fixed. Someone recoded the variables and strings for me with mysql_real_escape code. And there are no hacker anymore :>

 

[sayuta]

@ Topic,
Also use a AntiSql Function.. for the WHERE clause.

<?
$uri = $_SERVER['REQUEST_URI'];
$search = array('chr(', 'chr=', 'chr%20', '%20chr', 'wget%20', '%20wget', 'wget(',
'cmd=', '%20cmd', 'cmd%20', 'rush=', '%20rush', 'rush%20',
'union%20', '%20union', 'union(', 'union=', 'echr(', '%20echr', 'echr%20', 'echr=',
'esystem(', 'esystem%20', 'cp%20', '%20cp', 'cp(', 'mdir%20', '%20mdir', 'mdir(',
'mcd%20', 'mrd%20', 'rm%20', '%20mcd', '%20mrd', '%20rm',
'mcd(', 'mrd(', 'rm(', 'mcd=', 'mrd=', 'mv%20', 'rmdir%20', 'mv(', 'rmdir(',
'chmod(', 'chmod%20', '%20chmod', 'chmod(', 'chmod=', 'chown%20', 'chgrp%20', 'chown(', 'chgrp(',
'locate%20', 'grep%20', 'locate(', 'grep(', 'diff%20', 'kill%20', 'kill(', 'killall',
'passwd%20', '%20passwd', 'passwd(', 'telnet%20', 'vi(', 'vi%20',
'insert%20into', 'select%20', 'fopen', 'fwrite', '%20like', 'like%20',
'$_request', '$_get', '$request', '$get', '.system', 'HTTP_PHP', '&aim', '%20getenv', 'getenv%20',
'new_password', '&icq','/etc/password','/etc/shadow', '/etc/groups', '/etc/gshadow',
'HTTP_USER_AGENT', 'HTTP_HOST', '/bin/ps', 'wget%20', 'uname\x20-a', '/usr/bin/id',
'/bin/echo', '/bin/kill', '/bin/', '/chgrp', '/chown', '/usr/bin', 'g\+\+', 'bin/python',
'bin/tclsh', 'bin/nasm', 'perl%20', 'traceroute%20', 'ping%20', '.pl', 'lsof%20',
'/bin/mail', '.conf', 'motd%20', 'HTTP/1.', '.inc.php', 'config.php', 'cgi-', '.eml',
'file\://', 'window.open', '<script>', 'javascript\://','img src', 'img%20src','.jsp','ftp.exe',
'xp_enumdsn', 'xp_availablemedia', 'xp_filelist', 'xp_cmdshell', 'nc.exe', '.htpasswd',
'servlet', '/etc/passwd', 'wwwacl', '~root', '~ftp', '.js', '.jsp', 'admin_', '.history',
'bash_history', '.bash_history', '~nobody', 'server-info', 'server-status', 'reboot%20', 'halt%20',
'powerdown%20', '/home/ftp', '/home/www', 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con',
'<script', 'UPDATE', 'SELECT', 'DROP', '/robot.txt' ,'/perl' ,'mod_gzip_status', 'db_mysql.inc', '.inc', 'select%20from',
'select from', 'drop%20', '.sys', '.ini', '.shell', 'getenv', 'http_', '_php', 'php_', 'phpinfo()', '<?php', '?>', 'sql=');
$value = str_replace($search, '', $uri);
		
if($uri != $value){
die('Something fishy is going on..');
}
?>

Put it in the header, or something, above ALL code.

AND if, u want to protect ur WHERE clause (Which already was solved i presume)

function AntiSql($value){
$check = $value;
$valuesidontwant = array('from','select','insert','delete','where','drop table','show tables','#','*','--');
$value = str_replace($valuesidontwant,"",$value);
$value = trim($value);
$value = strip_tags($value);
$value = addslashes($value);
$value = str_replace("'", "''", $value);

/*
if($check != $value)
{
$logf = fopen("Logs/AntiSqlLog.txt", "a+");
fprintf($logf, "Date: %s IP: %s Value: %s\r\n", date("d-m-Y h:i:s A"), $_SERVER['REMOTE_ADDR'], $check, $value );
fclose($logf);
}
*/
return($value);
}

Remove the quotes for Logs.

Hope it helped though.

 

[gaseline11]

it whas already fixed but thanks anyway because now it's even more protected =)