Heres a basic way to protect your scripts from getting injected (mssql).
First of all you will need to add this security class to your scripts (let's call it security.class.php):
Now coming the checking part (will use registration as an example):PHP Code:<?php
class Security {
function secure($data) {
if ( !isset($data) or empty($data) ) return '';
if ( is_numeric($data) ) return $data;
$non_displayables = array('/%0[0-8bcef]/', '/%1[0-9a-f]/', '/[\x00-\x08]/', '/\x0b/', '/\x0c/', '/[\x0e-\x1f]/');
foreach ( $non_displayables as $regex )
$data = preg_replace( $regex, '', $data );
$data = str_replace("'", "''", $data );
return $data;
}
function checkChars($data) {
$check = preg_match("/^[a-zA-Z0-9]+$/", $data);
if ($check == 0) {
return false;
} else {
return true;
}
}
function checkEmail($data) {
$check = preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\w+(\.[0-9a-zA-Z]+)*\.[a-zA-Z]{2,4}$/", $data);
if ($check == 0) {
return false;
} else {
return true;
}
}
function checkMinLength($data, $length) {
if (strlen($data) < $length) {
return false;
} else {
return true;
}
}
function checkMaxLength($data, $length) {
if (strlen($data) > $length) {
return false;
} else {
return true;
}
}
}
?>
First of all we call the class out so we use this:
Next step, we call out the class (so that we can actually use the functions of the class):PHP Code:require_once("security.class.php");
Now that this is done let's create the security checking stuff, lets say we have the username ,password and email in this case:PHP Code:$sec = new Security();
as you can see the defined stuff is not secured right now so we need to do something about it!!, so i used this way:PHP Code:$username = "someusername";
$password = "somepassword";
$mail = "mail@email.com";
That should be all for now, hope this will help you to solve your problems with sql injection attacks on your server.PHP Code:switch (false) {
case ($sec->checkChars($username) && $sec->checkChars($password)):
$errorCode = 1;
break;
case ($sec->checkEmail($mail)):
$errorCode = 2;
break;
case ($sec->checkMinLength($username, 6) && $sec->checkMinLength($password, 6)):
$errorCode = 3;
break;
case ($sec->checkMaxLength($username, 16) && $sec->checkMaxLength($password, 16)):
$errorCode = 4;
break;
default:
$errorCode = 0;
break;
}
if ($errorCode > 0) {
switch ($errorCode) {
case 1:
echo "You are using invalid characters! (allowed: A-Z,a-z,0-9 and '@','.' for emails).";
break;
case 2:
echo "Email entered in wrong format!";
break;
case 3:
echo "Username or password to short! (min 6 characters)!";
break;
case 4:
echo "Username or password to long! (max 16 characters)!";
break;
}
} else {
// here we can finally execute the real registration since the registration is secured and there's no errors.
}
Enjoy and have fun, don't forget to say thanks.
Reply With Quote
Originally Posted by Flowlance
