Php Effective Anti Injection Script -> No symbol block

I've been seeing all kinds of stuff about this topic.. Everyone gets his site hijacked in a way.. So here is a script that should put an end to this.
This script is 100% effective, does not block/replace any symbols (including the "'"). The scripts is a part of my web's security but i decided to share it.
Just put in the file that connects to the mssql server or ODBC data source.

PHP Code:

---

// Begin
/*
    The muonline xweb base injection filter script
        Mssql Injection Filter, Includes arrays
-----------------------------------------------------------------
           Changelog: mu.vachev.net?mod=xweb
*/

function xw_sanitycheck($str){
    if(strpos(str_replace("''",""," $str"),"'")!=false)
        return str_replace("'", "''", $str);
    else
        return $str;
}

function secure($str){
    // Case of an array
    if (is_array($str)) {
        foreach($str AS $id => $value) {
            $str[$id] = secure($value);
        }
    }
    else
        $str = xw_sanitycheck($str);

    return $str;
}

// Get Filter
$xweb_AI    = array_keys($_GET);
$i=0;
while($i<count($xweb_AI)) {
    $_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Request Filter
$xweb_AI    = array_keys($_REQUEST);
$i=0;
while($i<count($xweb_AI)) {
    $_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Post Filter
$xweb_AI    = array_keys($_POST);
$i=0;
while($i<count($xweb_AI)) {
    $_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]);
    $i++;
}

// Cookie Filter (do we have a login system?)
$xweb_AI    = array_keys($_COOKIE);
$i=0;
while($i<count($xweb_AI)) {
    $_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]);
    $i++;
}
// End 


---

The script executed in less than 0.01 seconds.

Compatible with: PHP 4.x.x/5.x.x+
Credits: Savoy

good release, next time add a [release] tag

Quote:

---

Originally Posted by Xurbus

good release, next time add a [release] tag

---

Totally forgot about that.. will have that in mind next time

great man, thanks

xtremely nice :X :D thank you savoy!

Savoy rulz !

Nice release man.

Thanks, very usefull

I dont understand were i put pls help me were I put this pllssssss

Very nice and useful, keep up the good work! ^^

Hello ppl , can you help me !!!

pfff help pls i dont understand were i put this cods !

Quote:

---

Originally Posted by CnC-Master

pfff help pls i dont understand were i put this cods !

---

OMG! READ!

Quote:

---

Originally Posted by themad

Just put in the file that connects to the mssql server or ODBC data source.

---

And thanks a million for this script :))
This is really usefull :))

this can be used in any kind of script?
btw gj

Quote:

---

Originally Posted by foxfirediego

this can be used in any kind of script?

---

Positive ..

Thanks, Good Job :]
Which files connecting to mssql/ODBC ?

thx you veri much

ENG: Great 10/10 !
BG: bravo 10/10 !

sorry my noob question but..

where i paste this script?

good release , useful :))

Yes, how to put this code, where to put in the file?
One file or all file in web
etc: Where to put in MuWeb8.......
Thank!!!!!

When need this SQL anti injection? All problems in ' - quotes and ; - symbol...

Use:

Quote:

---

if (!get_magic_quotes_gpc()) {
$... = addslashes($_POST['...']);
} else {
$... = $_POST['...'];
}

---

thx ;) Good job. :technolog

Quote:

---

Originally Posted by SlavOOn

When need this SQL anti injection? All problems in ' - quotes and ; - symbol...

Use:

---

You really should do some reading....
The addslashes() is not a function to use for such a thing. Simply said:
$charname=addslashes("Fluffy'; drop table character"); // you should get Fluffy\'; drop table character; -- right ? try to execute it and see what happens..
mssql_query("select Resets from character where Name='".$charname."'");

\' doesn't cut it with mssql...you have to use two single quotes in order to avoid it . Str_replace("'","'',$var);

The script i have brough simply filters ALL user inputed variables from browser to server and checks not to double filter ( i mean the ' to become '''''..etc.. ), effective and without having to check every single post/get var..

If you are using an addslashes() function as a protection..better change it fast..

Quote:

---

Originally Posted by themad

You really should do some reading....
The addslashes() is not a function to use for such a thing. Simply said:
$charname=addslashes("Fluffy'; drop table character"); // you should get Fluffy\'; drop table character; -- right ? try to execute it and see what happens..
mssql_query("select Resets from character where Name='".$charname."'");

\' doesn't cut it with mssql...you have to use two single quotes in order to avoid it . Str_replace("'","'',$var);

The script i have brough simply filters ALL user inputed variables from browser to server and checks not to double filter ( i mean the ' to become '''''..etc.. ), effective and without having to check every single post/get var..

If you are using an addslashes() function as a protection..better change it fast..

---

Themad!
Please help me, how to add your script to muweb 08???, what file need to add....???
Thank!

Quote:

---

Originally Posted by anhnga

Themad!
Please help me, how to add your script to muweb 08???, what file need to add....???
Thank!

---

I have not downloaded muweb like..ever...i don't know how its build...can't help you

Hmm,my site uses sql_inject.php , if i'll put this script in it,script would work?

It is a nice script but it won't put an end to malicious attack. In MUweb ppl still could get their board hacked by remote inclusion, in a web of czf there's xss ... But the script does good enough to stop sql injection. wat i fear is blind sql injection -.-

bug good man thx !!!

Nice.. thx man
10/10
Keep it Up!

Does sombady already know where to put this file intro MuWeb 0.8 ? I dont have alot expierence intro Websites or any coding so please can sombady tell me where to put this intro MuWeb 0.8 ?

Weedlord, try put it in includes/character.class.php, there are functions of add/manage accounts. But i think muweb 0.8 is already full secure from sql inject and u don't need use this script (i don't use muweb that is only my opinion).
Sry for my eng.

Savoy, do u release all script of xweb?

great man ...
thx

work 4 muweb ??

Thanks so much, good job:flag_schw

in muweb 0.8 u put this script into /includes/muweb.php
which makes the whole website become one blank page, which means that no, this script doesnt work with all websites -.-

nice job... creative idea, apply a double single quote rather than removing it... seems simple enough and effective.

for those ppl that dont know how to use this, just paste this at the top of your index.php you shouldnt have many problems... the script automatically filters all data...

Quote:

---

Originally Posted by anhnga

Wink Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by themad View Post
You really should do some reading....
The addslashes() is not a function to use for such a thing. Simply said:
$charname=addslashes("Fluffy'; drop table character"); // you should get Fluffy\'; drop table character; -- right ? try to execute it and see what happens..
mssql_query("select Resets from character where Name='".$charname."'");

\' doesn't cut it with mssql...you have to use two single quotes in order to avoid it . Str_replace("'","'',$var);

The script i have brough simply filters ALL user inputed variables from browser to server and checks not to double filter ( i mean the ' to become '''''..etc.. ), effective and without having to check every single post/get var..

If you are using an addslashes() function as a protection..better change it fast..
Themad!
Please help me, how to add your script to muweb 08???, what file need to add....???
Thank!

---

I actually don't recommend using muweb 0.8 unless you redo all of the scripts, I have seen a lot of very effective scripts applied, including some of my own, get haxed on MW 0.8 :/

myea, i used to like muweb cause its so editable and simple. but now its plain garbage. unless someone comes up with the full and real fix to all the holes.
btw, i dont think this would work if u put in index.php, index.php is not the file whcih connects to mssql, if you put this in a file which actually has the connection scripts in it, page goes puff - blank.

Well this looks like it will work only way to find out is to use it.

I am using it and ill let you know if any intrusions occur while using it .

Thanks themad good release 9/10 :winky:

Quote:

---

Originally Posted by kirka121

myea, i used to like muweb cause its so editable and simple. but now its plain garbage. unless someone comes up with the full and real fix to all the holes.
btw, i dont think this would work if u put in index.php, index.php is not the file whcih connects to mssql, if you put this in a file which actually has the connection scripts in it, page goes puff - blank.

---

if you put it b4 the include "config.php"; or etc it clears all client controlled data before any scripts use that data... so its like:
open index.php
run the script //which fixed the data
connect to server //by including your connection file
call fixed data //like $account = $_POST['account'];
execute query with fixed data //you shouldn't need more protection than that... unless you want to be precaution ;)

basically it has to be executed before your sql scripts are executed, in theory, it should work just by putting it at the top of the index.php because the index.php is where the site comes together, if you want to feel more secure you could put it be for the area where you connect to the server, but it should work the same if you put it at the top of the index

hmm, okai, i l see if this works on the ultrahackable muweb 0.8 ;D

lolz gj 10/10
;]

I will allow this bump cus its useful.

If you do it again Kirka you'll be infracted.

um.. why exactly? because i replied to a 1year old topic? whats wrong with that?

thanks for the release !!!

don't use this script.. you will be hacked !

Quote:

---

Originally Posted by LuC1o08

don't use this script.. you will be hacked !

---

Care to bring some arguments to the table?

i added this script to my config.php , is ir right? :drool:

Big thanks for the script! Works perfectly! But how do I add a return text or redirection to other page if someone has been trying to inject?

el problema es que donde lo pongo?

gracias

to add this to your web you need to add that scribt into EACH web file that connect with your DATABSE

if there is already a script tag just add it above it if not you need add a sript tag blablabla... like

<?
ADD SQL INJECTION SCRIPT HERE
?>

ok now some ppl may say just add it to index.php since it includes all other stuff (this helps only against total retards^^) but the point is ppl dont need to use index.php they can navigate in the website easy by using ip/characters.php blabla and so on so you need to add it to EACH and i like to repeat it EACH file with db connection to be sure that you are safe ^^

Rephrased:

PHP Code:

---

function xw_sanitycheck($str){ return strpos(str_replace('\'\'','',' '.$str),'\'') ? str_replace('\'', '\'\'', $str) : $str; }

function secure($str){
    if (is_array($str))
        foreach($str AS $id => $value)
            $str["$id"] = secure($value);
    else
        $str = xw_sanitycheck($str);

    return $str;
}

function secure2(&$str){
    return secure($str);
}

secure2($_GET);
secure2($_POST);
secure2($_COOKIE); 


---