sql injection

Results 1 to 14 of 14
  1. #1
    Account Inactive gaseline11 is offline
    InactiveRank
    Aug 2009 Join Date
    FlarisLocation
    179Posts

    sad sql injection

    people are hacking my private server using sql injection on my website :S
    does somebody know way to protect the website against that?
    i already searched on google and on the forum but i cant find anything at ragezone and everything i found on google was to difficult.. i don't understand a word of that tutorials...

    so, can somebody please tell me how to protect my website against sql injection???


  2. #2
    Founder of Musara-Network zebra is offline
    True MemberRank
    Apr 2007 Join Date
    HomeLocation
    676Posts

    Re: sql injection

    Take all your web files and copy them to some "JASKFJALSHGA" folder and then make a more safe register page so people can still register, and problem solved.

  3. #3
    Account Inactive gaseline11 is offline
    InactiveRank
    Aug 2009 Join Date
    FlarisLocation
    179Posts

    Re: sql injection

    huh? but when i put all the files in a new folder it can't open my index.php right? and if i link to the map where the files are it shows the map in the adressbar so i don't think that is going to work lol

  4. #4
    Account Inactive BBim is offline
    InactiveRank
    Sep 2008 Join Date
    127.0.0.1Location
    1,110Posts

    Re: sql injection

    Quote Originally Posted by gaseline11 View Post
    huh? but when i put all the files in a new folder it can't open my index.php right? and if i link to the map where the files are it shows the map in the adressbar so i don't think that is going to work lol
    Lol, what he meant was delete your website and create a new that is 100% safe.

  5. #5
    Ragezone OG FrostElite is offline
    Alpha MaleRank
    Sep 2008 Join Date
    United StatesLocation
    1,881Posts

    Re: sql injection


  6. #6
    Account Inactive GlaphanKing is offline
    InactiveRank
    Sep 2008 Join Date
    World of MorrowLocation
    2,594Posts

    Re: sql injection

    SQL injection is a bitch to get around in some cases but if you are smart and educated, meaning read all articles on the subject, you will stop script kiddies dead in their tracks.

  7. #7
    Not working on UnitedFlyf Mootie is offline
    DeveloperRank
    Apr 2009 Join Date
    1,589Posts

    Re: sql injection

    It's not too hard to block 95% of them. The most vicious ones aren't that hard to block, due to being able to replace strings, such as those with words like DROP with a space (which you can make the whole value = null when the string contains a space).

  8. #8
    Account Inactive gaseline11 is offline
    InactiveRank
    Aug 2009 Join Date
    FlarisLocation
    179Posts

    Re: sql injection

    @ FrostElite: i found that link earlier but i don't understand where i have to put that code :S

    @ mootie: you mean that i just have to put some spaces in the places where they use sql injection and then they can't change the script anymore?

  9. #9
    Ace of Hearts Reimniess is offline
    True MemberRank
    Jul 2009 Join Date
    in your headLocation
    784Posts

    Re: sql injection

    stuff like this happens all too often for how easy it is to fix
    Last edited by Reimniess; 13-09-09 at 08:01 PM.

  10. #10
    Account Inactive gaseline11 is offline
    InactiveRank
    Aug 2009 Join Date
    FlarisLocation
    179Posts

    Re: sql injection

    yea.. but HOW can i fix this? D:

  11. #11
    Account Inactive MatreX is offline
    InactiveRank
    Sep 2004 Join Date
    U.s.ALocation
    236Posts

    Re: sql injection

    Its simple: Learn Object Oriented PHP and use the new MySQL_improved. Then just make sure you trim() user input and verify it to the database before anything happens.

  12. #12
    Account Inactive gaseline11 is offline
    InactiveRank
    Aug 2009 Join Date
    FlarisLocation
    179Posts

    Re: sql injection

    Fixed. Someone recoded the variables and strings for me with mysql_real_escape code. And there are no hacker anymore :>

  13. #13
    Account Inactive sayuta is offline
    InactiveRank
    Jan 2007 Join Date
    The NetherlandsLocation
    205Posts

    Re: sql injection

    @ Topic,
    Also use a AntiSql Function.. for the WHERE clause.

    PHP Code:
    <?
    $uri 
    $_SERVER['REQUEST_URI'];
    $search = array('chr(''chr=''chr%20''%20chr''wget%20''%20wget''wget(',
    'cmd=''%20cmd''cmd%20''rush=''%20rush''rush%20',
    'union%20''%20union''union(''union=''echr(''%20echr''echr%20''echr=',
    'esystem(''esystem%20''cp%20''%20cp''cp(''mdir%20''%20mdir''mdir(',
    'mcd%20''mrd%20''rm%20''%20mcd''%20mrd''%20rm',
    'mcd(''mrd(''rm(''mcd=''mrd=''mv%20''rmdir%20''mv(''rmdir(',
    'chmod(''chmod%20''%20chmod''chmod(''chmod=''chown%20''chgrp%20''chown(''chgrp(',
    'locate%20''grep%20''locate(''grep(''diff%20''kill%20''kill(''killall',
    'passwd%20''%20passwd''passwd(''telnet%20''vi(''vi%20',
    'insert%20into''select%20''fopen''fwrite''%20like''like%20',
    '$_request''$_get''$request''$get''.system''HTTP_PHP''&aim''%20getenv''getenv%20',
    'new_password''&icq','/etc/password','/etc/shadow''/etc/groups''/etc/gshadow',
    'HTTP_USER_AGENT''HTTP_HOST''/bin/ps''wget%20''uname\x20-a''/usr/bin/id',
    '/bin/echo''/bin/kill''/bin/''/chgrp''/chown''/usr/bin''g\+\+''bin/python',
    'bin/tclsh''bin/nasm''perl%20''traceroute%20''ping%20''.pl''lsof%20',
    '/bin/mail''.conf''motd%20''HTTP/1.''.inc.php''config.php''cgi-''.eml',
    'file\://''window.open''<script>''javascript\://','img src''img%20src','.jsp','ftp.exe',
    'xp_enumdsn''xp_availablemedia''xp_filelist''xp_cmdshell''nc.exe''.htpasswd',
    'servlet''/etc/passwd''wwwacl''~root''~ftp''.js''.jsp''admin_''.history',
    'bash_history''.bash_history''~nobody''server-info''server-status''reboot%20''halt%20',
    'powerdown%20''/home/ftp''/home/www''secure_site, ok''chunked''org.apache''/servlet/con',
    '<script''UPDATE''SELECT''DROP''/robot.txt' ,'/perl' ,'mod_gzip_status''db_mysql.inc''.inc''select%20from',
    'select from''drop%20''.sys''.ini''.shell''getenv''http_''_php''php_''phpinfo()''<?php''?>''sql=');
    $value str_replace($search''$uri);
            
    if(
    $uri != $value){
    die(
    'Something fishy is going on..');
    }
    ?>

    Put it in the header, or something, above ALL code.

    AND if, u want to protect ur WHERE clause (Which already was solved i presume)

    PHP Code:
    function AntiSql($value){
    $check $value;
    $valuesidontwant = array('from','select','insert','delete','where','drop table','show tables','#','*','--');
    $value str_replace($valuesidontwant,"",$value);
    $value trim($value);
    $value strip_tags($value);
    $value addslashes($value);
    $value str_replace("'""''"$value);

    /*
    if($check != $value)
    {
    $logf = fopen("Logs/AntiSqlLog.txt", "a+");
    fprintf($logf, "Date: %s IP: %s Value: %s\r\n", date("d-m-Y h:i:s A"), $_SERVER['REMOTE_ADDR'], $check, $value );
    fclose($logf);
    }
    */
    return($value);

    Remove the quotes for Logs. ;)

    Hope it helped though.

  14. #14
    Account Inactive gaseline11 is offline
    InactiveRank
    Aug 2009 Join Date
    FlarisLocation
    179Posts

    Re: sql injection

    it whas already fixed but thanks anyway because now it's even more protected =)



Advertisement