-
Php Effective Anti Injection Script -> No symbol block
I've been seeing all kinds of stuff about this topic.. Everyone gets his site hijacked in a way.. So here is a script that should put an end to this.
This script is 100% effective, does not block/replace any symbols (including the "'"). The scripts is a part of my web's security but i decided to share it.
Just put in the file that connects to the mssql server or ODBC data source.
PHP Code:
// Begin
/*
The muonline xweb base injection filter script
Mssql Injection Filter, Includes arrays
-----------------------------------------------------------------
Changelog: mu.vachev.net?mod=xweb
*/
function xw_sanitycheck($str){
if(strpos(str_replace("''",""," $str"),"'")!=false)
return str_replace("'", "''", $str);
else
return $str;
}
function secure($str){
// Case of an array
if (is_array($str)) {
foreach($str AS $id => $value) {
$str[$id] = secure($value);
}
}
else
$str = xw_sanitycheck($str);
return $str;
}
// Get Filter
$xweb_AI = array_keys($_GET);
$i=0;
while($i<count($xweb_AI)) {
$_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]);
$i++;
}
unset($xweb_AI);
// Request Filter
$xweb_AI = array_keys($_REQUEST);
$i=0;
while($i<count($xweb_AI)) {
$_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]);
$i++;
}
unset($xweb_AI);
// Post Filter
$xweb_AI = array_keys($_POST);
$i=0;
while($i<count($xweb_AI)) {
$_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]);
$i++;
}
// Cookie Filter (do we have a login system?)
$xweb_AI = array_keys($_COOKIE);
$i=0;
while($i<count($xweb_AI)) {
$_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]);
$i++;
}
// End
The script executed in less than 0.01 seconds.
Compatible with: PHP 4.x.x/5.x.x+
Credits: Savoy
-
Re: [Release]Php Effective Anti Injection Script -> No symbol block
good release, next time add a [release] tag
-
Re: [Release]Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
Xurbus
good release, next time add a [release] tag
Totally forgot about that.. will have that in mind next time
-
Re: [Release]Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
xtremely nice :X :D thank you savoy!
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
I dont understand were i put pls help me were I put this pllssssss
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Very nice and useful, keep up the good work! ^^
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Hello ppl , can you help me !!!
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
pfff help pls i dont understand were i put this cods !
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
CnC-Master
pfff help pls i dont understand were i put this cods !
OMG! READ!
Quote:
Originally Posted by
themad
Just put in the file that connects to the mssql server or ODBC data source.
And thanks a million for this script :))
This is really usefull :))
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
this can be used in any kind of script?
btw gj
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
foxfirediego
this can be used in any kind of script?
Positive ..
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Thanks, Good Job :]
Which files connecting to mssql/ODBC ?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
ENG: Great 10/10 !
BG: bravo 10/10 !
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
sorry my noob question but..
where i paste this script?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
good release , useful :))
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Yes, how to put this code, where to put in the file?
One file or all file in web
etc: Where to put in MuWeb8.......
Thank!!!!!
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
When need this SQL anti injection? All problems in ' - quotes and ; - symbol...
Use:
Quote:
if (!get_magic_quotes_gpc()) {
$... = addslashes($_POST['...']);
} else {
$... = $_POST['...'];
}
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
thx ;) Good job. :technolog
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
SlavOOn
When need this SQL anti injection? All problems in ' - quotes and ; - symbol...
Use:
You really should do some reading....
The addslashes() is not a function to use for such a thing. Simply said:
$charname=addslashes("Fluffy'; drop table character"); // you should get Fluffy\'; drop table character; -- right ? try to execute it and see what happens..
mssql_query("select Resets from character where Name='".$charname."'");
\' doesn't cut it with mssql...you have to use two single quotes in order to avoid it . Str_replace("'","'',$var);
The script i have brough simply filters ALL user inputed variables from browser to server and checks not to double filter ( i mean the ' to become '''''..etc.. ), effective and without having to check every single post/get var..
If you are using an addslashes() function as a protection..better change it fast..
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
themad
You really should do some reading....
The addslashes() is not a function to use for such a thing. Simply said:
$charname=addslashes("Fluffy'; drop table character"); // you should get Fluffy\'; drop table character; -- right ? try to execute it and see what happens..
mssql_query("select Resets from character where Name='".$charname."'");
\' doesn't cut it with mssql...you have to use two single quotes in order to avoid it . Str_replace("'","'',$var);
The script i have brough simply filters ALL user inputed variables from browser to server and checks not to double filter ( i mean the ' to become '''''..etc.. ), effective and without having to check every single post/get var..
If you are using an addslashes() function as a protection..better change it fast..
Themad!
Please help me, how to add your script to muweb 08???, what file need to add....???
Thank!
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
anhnga
Themad!
Please help me, how to add your script to muweb 08???, what file need to add....???
Thank!
I have not downloaded muweb like..ever...i don't know how its build...can't help you
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Hmm,my site uses sql_inject.php , if i'll put this script in it,script would work?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
It is a nice script but it won't put an end to malicious attack. In MUweb ppl still could get their board hacked by remote inclusion, in a web of czf there's xss ... But the script does good enough to stop sql injection. wat i fear is blind sql injection -.-
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Nice.. thx man
10/10
Keep it Up!
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Does sombady already know where to put this file intro MuWeb 0.8 ? I dont have alot expierence intro Websites or any coding so please can sombady tell me where to put this intro MuWeb 0.8 ?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Weedlord, try put it in includes/character.class.php, there are functions of add/manage accounts. But i think muweb 0.8 is already full secure from sql inject and u don't need use this script (i don't use muweb that is only my opinion).
Sry for my eng.
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Savoy, do u release all script of xweb?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
great man ...
thx
work 4 muweb ??
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Thanks so much, good job:flag_schw
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
in muweb 0.8 u put this script into /includes/muweb.php
which makes the whole website become one blank page, which means that no, this script doesnt work with all websites -.-
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
nice job... creative idea, apply a double single quote rather than removing it... seems simple enough and effective.
for those ppl that dont know how to use this, just paste this at the top of your index.php you shouldnt have many problems... the script automatically filters all data...
Quote:
Originally Posted by anhnga
Wink Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by themad View Post
You really should do some reading....
The addslashes() is not a function to use for such a thing. Simply said:
$charname=addslashes("Fluffy'; drop table character"); // you should get Fluffy\'; drop table character; -- right ? try to execute it and see what happens..
mssql_query("select Resets from character where Name='".$charname."'");
\' doesn't cut it with mssql...you have to use two single quotes in order to avoid it . Str_replace("'","'',$var);
The script i have brough simply filters ALL user inputed variables from browser to server and checks not to double filter ( i mean the ' to become '''''..etc.. ), effective and without having to check every single post/get var..
If you are using an addslashes() function as a protection..better change it fast..
Themad!
Please help me, how to add your script to muweb 08???, what file need to add....???
Thank!
I actually don't recommend using muweb 0.8 unless you redo all of the scripts, I have seen a lot of very effective scripts applied, including some of my own, get haxed on MW 0.8 :/
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
myea, i used to like muweb cause its so editable and simple. but now its plain garbage. unless someone comes up with the full and real fix to all the holes.
btw, i dont think this would work if u put in index.php, index.php is not the file whcih connects to mssql, if you put this in a file which actually has the connection scripts in it, page goes puff - blank.
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Well this looks like it will work only way to find out is to use it.
I am using it and ill let you know if any intrusions occur while using it .
Thanks themad good release 9/10 :winky:
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
kirka121
myea, i used to like muweb cause its so editable and simple. but now its plain garbage. unless someone comes up with the full and real fix to all the holes.
btw, i dont think this would work if u put in index.php, index.php is not the file whcih connects to mssql, if you put this in a file which actually has the connection scripts in it, page goes puff - blank.
if you put it b4 the include "config.php"; or etc it clears all client controlled data before any scripts use that data... so its like:
open index.php
run the script //which fixed the data
connect to server //by including your connection file
call fixed data //like $account = $_POST['account'];
execute query with fixed data //you shouldn't need more protection than that... unless you want to be precaution ;)
basically it has to be executed before your sql scripts are executed, in theory, it should work just by putting it at the top of the index.php because the index.php is where the site comes together, if you want to feel more secure you could put it be for the area where you connect to the server, but it should work the same if you put it at the top of the index
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
hmm, okai, i l see if this works on the ultrahackable muweb 0.8 ;D
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
I will allow this bump cus its useful.
If you do it again Kirka you'll be infracted.
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
um.. why exactly? because i replied to a 1year old topic? whats wrong with that?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
thanks for the release !!!
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
don't use this script.. you will be hacked !
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Quote:
Originally Posted by
LuC1o08
don't use this script.. you will be hacked !
Care to bring some arguments to the table?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
i added this script to my config.php , is ir right? :drool:
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
Big thanks for the script! Works perfectly! But how do I add a return text or redirection to other page if someone has been trying to inject?
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
el problema es que donde lo pongo?
gracias
-
Re: [Release] Php Effective Anti Injection Script -> No symbol block
to add this to your web you need to add that scribt into EACH web file that connect with your DATABSE
if there is already a script tag just add it above it if not you need add a sript tag blablabla... like
<?
ADD SQL INJECTION SCRIPT HERE
?>
ok now some ppl may say just add it to index.php since it includes all other stuff (this helps only against total retards^^) but the point is ppl dont need to use index.php they can navigate in the website easy by using ip/characters.php blabla and so on so you need to add it to EACH and i like to repeat it EACH file with db connection to be sure that you are safe ^^
-
Re: Php Effective Anti Injection Script -> No symbol block
Rephrased:
PHP Code:
function xw_sanitycheck($str){ return strpos(str_replace('\'\'','',' '.$str),'\'') ? str_replace('\'', '\'\'', $str) : $str; }
function secure($str){
if (is_array($str))
foreach($str AS $id => $value)
$str["$id"] = secure($value);
else
$str = xw_sanitycheck($str);
return $str;
}
function secure2(&$str){
return secure($str);
}
secure2($_GET);
secure2($_POST);
secure2($_COOKIE);