Anti Sql Injection Protection

Here is some Easy Ways To protecting Your website .. from Different Type of Security Holes.

A. SQL INJECTIONS

Quote:

---

How to Use.
1. download the file , put in the same folder as the php file
2. Below are the how to use.. Put these on the top of the page just after <?

PHP Code:

---

require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect); 


---

3. THis is the Sql Injection Checker

PHP Code:

---

$sqlinject->test($your_sql_data); 


---

Explaination:
require_once "sql_inject.php"; < calls the file protector file
$bDestroy_session = TRUE; < this stops any session they on
$url_redirect = 'index.php'; < if they do a sql injection they are moved to this page
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect); < this to start the sql injection protection ( also ./log_file_sql.log is the file wer all the attempt are put in.. for u to ban later on ... hehehehhe)

$sql_inject->test($your_sql_data); < this is the implementation of the anti sql injector. where $your_sql_data is the mssql query string.

Thats my best explaination.. im too lazy now.. if u made it work.. try to explain to the others.

Dont pm me about this please..

Additional Info:

PHP Code:

---

<?

require_once "sql_inject.php"; 
$bDestroy_session = TRUE; 
$url_redirect = 'index.php'; 
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect); 

// some line here
// more lines here.. blah blah blah

//below is a little trick to do a post variable on this page.. as u can see the post variable [B]login[/B]  is already been injected with a drop table on memb_info and clevel = 350
$_POST['login'] = "%%'; drop table memb_info ; update character set clevel = 350ere name = '%%"; 
// this type of sql injection is trying to execute more SQL data

// then like any normal page.. u read the $login variable (we can even try to stripslashes it)
$login = stripslashes($_POST['login']);

//your sql query string 
[COLOR=DarkRed]$query[/COLOR] = "Select Name From Character where name = '$login'";
//normally you would check  $something for sql injection, but in this case, due to the new anti sql injection the entire query string can be analysed..

// to analyse query string we do this
$sqlinject->test([COLOR=DarkRed]$query[/COLOR]); 

//now that we checked it.. we can query it
$result = mssql_query([COLOR=DarkRed]$query[/COLOR]);

// more lines here.. blah blaah

?>

---

--- above would make a new file in ur folder called. log_file_sql.log make sure u make ur folder writable :)
--- now i test the sample php file above.. it works like a charm. :)
UPDATE FOR SOME TYPOS!

---

B. STOPING OFF DOMAIN TRANSACTIONS

Quote:

---

- one of the bigger holes in any website is forms.. cause when u make them.. it doesnt really mean they that way always.. people can just download the form.. edit the action, and send anything they want to your server. This is widely used by the sql injectors.

How to Stop. The Idea is On the Other side of ur Forms... U will have Referral Check. Referal Means the last page that was used before the current one.

Put this on ur a File Ur targeting as an Action on a form.

PHP Code:

---

if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
    die ( 'Hacking attempt. Your are such a Nooby!.. ' ); 
** 


---

-- above is checking if the last referral was from the http://www.supamu.info domain. if not it stop the entire page from loading any further. wat u can also do is add a logging system to this, which ill do in the next tutorial.

---

C. Adding a Simple Auto File Logger To your Website

This is to catch those hacking attempts on a FILE! The anti Sql Injector already has it's Own Logging system.. but this is for those other stuff u want to log. like for example. The Referral Check.

here is the main function for the logger (u need to put this somewer on ur php file a global insert file)

PHP Code:

---

function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT']; 
    $uri = $_SERVER['REQUEST_URI']; 
    $ip = $_SERVER['REMOTE_ADDR']; 
    $ref = $_SERVER['HTTP_REFERER']; 
    $dtime = date('r'); 
     
    if($ref == ""){ 
        $ref = "None"; 
    ** 
    if($user == ""){ 
        $user = "None"; 
    ** 
    $location = "/";
    $type = $location . $type . ".txt";
    $entry_line = "$dtime - IP: $ip | Agent: $agent  | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n"; 
    $fp = fopen("$type", "a"); 
    fputs($fp, $entry_line); 
    fclose($fp); 
** 


---

How to Use is like Simple Like this

PHP Code:

---

   filelogs('filename', $additionalinfo, $theusername); 


---

filename = just to separate from one kind of logs to another
$additionalinfo = this is some info u wanna include in the logs like queries or the current referrer's address
$theusername = if u have cookies.. u can put them here.. so ull know who to ban for this acts.

A sample script.. this is combined with the the Referral Filter on B

PHP Code:

---

if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
   
   filelogs('account-creat', $_SERVER['HTTP_REFERER'], $_POST['Member_ID']);
   die ( 'Hacking attempt. Your are such a Nooby!.. ' ); 
** 


---

Ill do more later.. Just ask here if u wanna me to do any kind of protection.

Ow.. if u are asking wat it actually stops..

it stops:
1. More sql query to be runned.
2. always true expression
3. Try to modify it's right injection

It doesnt stop Update DROP or any illegal words but ... it then again it doesnt need to stop those cause u already stoping it from making a second query.

Hello!
I have a question about your sql injection
about this:

2. Below are the how to use.. Put these on the top of the page just after <?

PHP Code:

Wat is the page that i have to put this file i mean the php code?
it is in config.php?

plsss reply

Is this the basic foundation of MuToolz or something different?

nice one.... hope hackers cant get into my php...

Stuck. If you come up with any further help try to combine it with this.

this is totaly difference.. the public release of Mutoolz doesnt have this..

here is a sample of a php file ...

<?

require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect);

// some line here
// more lines here.. blah blah blah

//your sql query string
$query = "Select Name From Character where name = '$something'";
//normally you would check $something for sql injection, but in this case, due to the new anti sql injection the entire query string can be analysed..

// to analyse query string we do this
$sqlinject->test($query);

//now that we checked it.. we can query it
$result = mssql_query($query);

// more lines here.. blah blaah

?>

Nice job john_d :)

uR ALive.. bahahahhaa.. get me on yahoo dude.. lolz

I have one problem... look this

Fatal error: Call to a member function on a non-object in c:\apache\www\teste.php on line 18

Its only for PHP websites, right? if I run ASP website so I dont need this?

Hello guys nice job but i got this problem too??

Fatal error: Call to a member function on a non-object in c:\appserv\www\includes\config.php on line 26

can u help me guys.. plsss..thankss...

try reading the sample again.. i fixed the it ...

john_d, im a little seek , the next week i be online :D

post here for website ASP!!!!

i just stick the file in the folder?
and in ALL of the pages i place require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;

// some line here
// more lines here.. blah blah blah

//your sql query string
$query = "Select Name From Character where name = '$something'";
//normally you would check $something for sql injection, but in this case, due to the new anti sql injection the entire query string can be analysed..

// to analyse query string we do this
$sql_inject->test($query);

//now that we checked it.. we can query it
$result = mssql_query($query);

// more lines here.. blah blaah
----------------------------------------------------------------------
right after after <?

waaaaaaaaaaaat.?

damn, so im completly wrong?

only for php like (e.g : MU Global Scripts site)

any php script u have running this can be use to protect it.

koaru* .. upload a sample page u updated. .let me see if it is good to go.

Now why when I did one, did it not get a sticky? Half the code in this is Cyndres, the other half is john_d's. He started working on it, I turned it into a class, and made quite a few tweaks to it and mine didnt get a sticky. Only certain people get credit for their work or what?

actually wat cyndre did.. was a illegal word and character checker... this is a different kind of checking.. if u look at the code. ull notice the differnce.

Now, for us who don't know SQL Injection, who would we know and test if this script is really working?

I did look at the code. Instead of being a fast include, its now almost 5 times as long. Mine worked just fine, you just wanted to say it was yours. The longer the code, the more cpu usage. Mine was more then just an illegal word and char checker. If their was an illegal word in it, it took it right out of the code, and it gets rid of all illegal chars that are used to mess up sql. Your function is basicly identical to mine.

Mine

function protect1($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", ">", "\\", "|", "/", "=", "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[a-zA-Z0-9@]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
** else {
//echo "-";
echo $protected;
die ( ' Is invalid for that spot, please try a different entry.' ); // Message if thier is any characters not in [a-zA-Z0-9].
** // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
** // ends the function Protect() {

Yours

function protect1($protected) { // This Will be the fuction we call to protect the variables.
$banlist = array ("'", "\"", "<", "\\", "|", "/", "=", "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace", "handler", "like", "procedure", "limit", "order by", "group by", "asc", "desc");
//$banlist is the list of words you dont want to allow.
if ( eregi ( "[a-zA-Z0-9@]+", $protected ) ) { // Makes sure only legitimate Characters are used.
$protected = trim(str_replace($banlist, '', $protected)); // Takes out whitespace, and removes any banned words.
return $protected;
//echo "+";
** else {
//echo "-";
echo $protected;
die ( ' Is invalid for that spot, please try a different entry.' ); // Message if thier is any characters not in [a-zA-Z0-9].
** // ends the if ( eregi ( "[a-zA-Z0-9]+", $this->protected ) ) {
** // ends the function Protect() {


So are you now willing to give credit where credit is due? Whos notes are still in your anti sql injection? At least when I used your original in my class, I gave you credit.

Ow.. u mean.. those things.. lolz.. i just put them on there.. as a test.. they are not event used.. lolz..

Sorry.. dude.. if u want i can remove them.. i kinda forgot to remove... i cant remember why put them there.. :)

LOLz! Speaking about copyright... :thumbup:

Quote:

---

Originally Posted by Hackzone

Now, for us who don't know SQL Injection, who would we know and test if this script is really working?

---

check out the sample i gaved.. there is a variable there.. that is used.. for testing the anti sql injection.. and it is sved into the log file

Fatal error: Call to a member function test() on a non-object in D:\MuReg\login.php on line 11

$query = "SELECT memb___id FROM MEMB_INFO WHERE memb___id='$login'";
$sql_inject->test($query); //line 11
$sql_username_check = mssql_query($query);

umn.. help?
me stupid or error in code?

Fuck U

help anyone?

Quote:

---

Originally Posted by StrEagle

Fatal error: Call to a member function test() on a non-object in D:\MuReg\login.php on line 11

$query = "SELECT memb___id FROM MEMB_INFO WHERE memb___id='$login'";
$sql_inject->test($query); //line 11
$sql_username_check = mssql_query($query);

umn.. help?
me stupid or error in code?

---

Dude.. check the example.. u must put the Header Code on top of the page to Initialize the anti injection

Read the Example Properly

Hi John, its me again ^^

Maybe i am just plain dumb or whatever but i cant understand what to do with those lines of code.

Ok, i understand that i have to add some piece of code to the top of my page. Here's my first problem. WHICH PAGES??

Now i see, that you told us to use another piece of code to protect the sql query string, correct? Should i modify every single query string or what?

Sorry for these questions but i am really a php nooby so i need your help.

Cheers

//edit

I am using your MuSite Scripts 2.0

any pages.. that has a sql query involved.

better to be safe than sorry ..

found the problem:
$sql_inject->test($your_sql_data);
i copied the code before you had fixed it..
now it works
1-st day and already 1 attempt
gj

Quote:

---

Originally Posted by SubSonic

Hi John, its me again ^^

Maybe i am just plain dumb or whatever but i cant understand what to do with those lines of code.

Ok, i understand that i have to add some piece of code to the top of my page. Here's my first problem. WHICH PAGES??

Now i see, that you told us to use another piece of code to protect the sql query string, correct? Should i modify every single query string or what?

Sorry for these questions but i am really a php nooby so i need your help.

Cheers

//edit

I am using your MuSite Scripts 2.0

---

no, not all
only those, in wich the queries use info entered from the user
if you can't make difference - put on all!

ill regularly post IP that attempted those.. u should to.. it is so funny to catch those hackers.. bahahahah!

my server is BG only, because my international connection is 10k..
so no point..
i have 2 bg hackers..

To joh_d,
I follow ur guide to each page of my websites, but unfortunately i got hacked,......... that's awful
When i meet the hacker, he said that he attacked by the SQL script hole....
Is there any solution for this kind of hacking
Can u help me? i will appreciate it very much.

waaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Isnt it easier to just check for string delimiters (') on string params and use intval on integer params ?

goood work john_d...very nice...

regards.shang ^_^

As we speak here about security, it would be useful to speak about crypting stored data at user's computer, for example cookie values. Because storing for example e-mail or login information it is a potential security hole. If not for server itself, but even for a player's account. Also this information may be used to execute sql injection. Any ideas?

That works good for 2 weeks hope no one hacks me >.<

1st. thing.. if u want to encrypt ur cookies.. in my mutoolz.. try getting the protector.php and get the two functions.

one is for exncrypting and other one is decrypting.. both use a hash method.. which is very difficult to crack if the hacker doesnt know ur hash or secret decode code.

2. Aramis.. to check of (') .. lolz.. who are u kidding.. people would just use html url decoded string like %20 or %27 which php will eventually convert back .

3. Marcus84, i believe it has nothing to do with the anti injection.. it will only protect against things u set it to protect.. try looking at ur website again.. and see if u left something.

ok... this script is great... it does it work but I have a problem with a page I created for password reseting:

here's the code:

PHP Code:

---

<?
include("file.inc.php");

if(!$_POST['pwd_change'])
{
?>
<form name="change_pass" method="post" action="<?$_SERVER['PHP_SELF']?>">
  <table width="100%"  border="0" cellspacing="0" cellpadding="0">
    <tr>
      <td>Username:</td>
      <td><input name="member" type="text" id="member"></td>
    </tr>
    <tr>
      <td>Password:</td>
      <td><input name="kodikos" type="password" id="pass"></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input name="pwd_change" type="submit" id="pwd_change" value="Change Pass!">
      <input name="rst" type="reset" id="rst" value="Cancel"></td>
    </tr>
  </table>
</form>
<?
**
else
{
    $sql = "SELECT * FROM MEMB_INFO WHERE memb___id = '".$_POST['member']."' OR 1=1";
    $sqlinject->test($sql);
    $result = @mssql_query($sql);
    $num_rows = @mssql_num_rows($result);
    if($num_rows <= 0) 
    { 
        echo 'No records found in database.<br>';
        exit();
    **
    if(!$result) 
    { 
        echo 'Couldn\'t execute SELECT query<br>';
        exit();
    **
    //$num_rows = mssql_num_rows($query);
    
    $row = @mssql_fetch_array($result);
    

        echo "<font style=\"font-family: tahoma, verdana, arial; font-size: 12px\">Password for <b>".$_POST['member']."</b>, is: <b>".$_POST['pass']."</b></font><br>";
        $query = "UPDATE MEMB_INFO SET memb__pwd = '".$_POST['kodikos']."', memb___id = '".$_POST['member']."' WHERE memb___id = '".$_POST['member']."'";
        $sqlinject->test($query);
        $update = @mssql_query($query);
        if(!$update) 
        { 
            echo 'Couldn\'t execute UPDATE query<br>';
        **
    
mssql_close(); 
**

?>

---

here's the file.inc.php:

PHP Code:

---

<?php
session_start();
require_once "sql_inject.php"; 
$bDestroy_session = TRUE; 
$url_redirect = 'index.php'; 
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect);

$dbhost = "localhost";
$dbuser = "some user";
$dbpass = "some pass";
$dbname = "MuOnline";

//connect database
$dbconn = @mssql_connect($dbhost, $dbuser, $dbpass);
if(!$dbconn) 
{ 
    echo 'Couldn\'t connect to database<br>';
**
mssql_close(); 
//select database name
$dbname = @mssql_select_db($dbname, $dbconn);
if(!$dbname) 
{ 
    echo 'Couldn\'t select database<br>';
**
mssql_close(); 
?>

---

at the first script you see that: $sql = "SELECT * FROM MEMB_INFO WHERE memb___id = '".$_POST['member']."' OR 1=1";??? The red letters are the injection since 1 is always equal to 1 so SQL shows all the results of your database. Now, what the injector scipt would normally do is to display another page istead of the page with all the dbase info, but it doesn't. It logs that someone injected into the database at the log file but it doesn't redirect the user to the page I specified. Instead it shows the page with the user name and pass that passed through the form. (And yes it changes the user name pass that was passed through the form).

Am I doing something wrong?

P.S: why this forum change all closing brackets to two asterisks? (**)

how it works is.. that.. if u type ur injection directly into the query, it doesnt stop it.. it just logs it.

It is kinda smart.. it detects u are the one who actually did the sql injection.. so wat u need to do is.. do wat all hackers do.. modify ur form and send the OR 1=1 (sample blah' OR 1=1 )something like that.

how it works is.. that.. if u type ur injection directly into the query, it doesnt stop it.. it just logs it.

It is kinda smart.. it detects u are the one who actually did the sql injection.. so wat u need to do is.. do wat all hackers do.. modify ur form and send the OR 1=1 (sample blah' OR 1=1 )something like that.

thats why on my sample.. i put a $_POST['variablename'] instead of a normal variable declaration..

on the side note.. u have no problem with POST and GET variables if u turn off register_global in php.ini that will stop anyone from making up new variables in the url and in the form.

but this is only site protection how can i protected my server from hacker. they are making exc items but hey are not gm :/ help me pls

I MUST WARN EVERY ONE, THAT THIS SCRIPT ISN'T STOPPING ALL KIND OF SQL INJECTIONS.
If you use it, every middle knowledge programmer may hack your site. Source need to be corrected in some places. My opinion is that the biggest hole that script isn't checking bare words (select, update,...) of the variables, because we may pass protection for all above methods of checking but words are words you can't pass them.

well if u can hack my website dude.. ill give u a medal. :) all im using is that script

john_d i've earned my small medal? :rolleyes:

HI, i've not tested the script yet but analyzing the code it look's like it works pretty well!
Great Job m8!

One simples question:
Does SQL Injection works with mysql too or only with Sql Server? if so i'm fucked! lol

Pidarasi nahuj sam hack bilo zapuskatj v funkciji!!!!!!!!!!!!![QUOTE]

im not gonna read thru this whole thead right now since RZ is slow ATM, but all u need to do is limit your chracter fields to a max of 10-12, and deny sertain chracters in text fields such as ' - ; and ( )

Quote:

---

Originally Posted by john_d

check out the sample i gaved.. there is a variable there.. that is used.. for testing the anti sql injection.. and it is sved into the log file

---

I make exactly as you said and it works fine, except is not writing the log file whith the ip of the person that as tried tu use injection as:
$sqlinject = new sql_inject('./log_file_sql.log'

try making the file manually. set it to have write permission...


ssddss... that would now a variable checker.. the posted above is a entire query checker. and i do have a variable checker. posted a long time ago here..

also included in the file is a class version of the variable checker,. rewriten by cyndre based on my old variable checker funtion.

Sorry, after i make some tests i veryfy "anti sql injection" is not workin on my page :(, sure i have done something wrong, so, one more time i ask your help, because database of my mu server as been destriod for 3 times.

here is top of one page of my server (login.php):

<?php require 'includes/config.php'; ?>
<?php
$Member_Pass = stripslashes($_POST['Member_Pass']);
$Member_Id = stripslashes($_POST['Member_Id']);
$pass = $Member_Pass;
$login = $Member_Id;
$hack_array = array("'");
$hack_replace = array("");
$pass_replaced = str_replace($hack_array, $hack_replace, $pass);
$login_replaced = str_replace($hack_array, $hack_replace, $login);

$sql_username_check = mssql_query("SELECT memb___id FROM MEMB_INFO WHERE memb___id='$login_replaced'");
$username_check = mssql_num_rows($sql_username_check);
$sql_pass_check = mssql_query("SELECT memb__pwd FROM MEMB_INFO WHERE memb__pwd='$pass' AND memb___id = '$login_replaced'");
$pass_check = mssql_num_rows($sql_pass_check);
if (empty($login_replaced) || empty($pass_replaced) || ($username_check <= 0) || ($pass_check <= 0)) {
if (empty($login_replaced) || empty($pass_replaced))
echo '<style type="text/css">
bla bla bla bla
bla bla bla

Now i know i have to insert this on the top after <? :
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;

and i have to copy the file "sql_inject.php" to my www, but what i don't know is how it stand exactly on my loging.php, because in my case don't work.
Can you show-me how it will stand on the example a have puted here.

Sorry for my bad english
thank you

poor me, i came here at the wrong time, my database got hacked just now... :(

i can bypass the script that john_d posted here. the best fight to SQL injection is what ssddss said, check field's character lengths - limitting them to 10~12~14~etc. depending on maximum requirement because the fastest SQL Injection method ( that is ';DROP TABLE Character; ) is 23 letters long, disable ' and " characters on every field except when implementing resets for characters (character names can have ' and " characters), and insert a regexp check on email field input.

huj wam w dupe :)

--------------------
Some things i think are important.

Mutoolz
Protecting your website 101
Hex Guides
A very Useful Map of the Useful Thread In Ragezone
My MU server SupaMU

Fixed and Modified protection made by a hacker that I caught into my server..
Seems to work better, check it out :wub2:

Quote:

---

Originally Posted by gam3r_3xtr3m3

i can bypass the script that john_d posted here. the best fight to SQL injection is what ssddss said, check field's character lengths - limitting them to 10~12~14~etc. depending on maximum requirement because the fastest SQL Injection method ( that is ';DROP TABLE Character; ) is 23 letters long, disable ' and " characters on every field except when implementing resets for characters (character names can have ' and " characters), and insert a regexp check on email field input.

---

what is "regexp check" on email field input?

Quote:

---

Originally Posted by StrEagle

Fixed and Modified protection made by a hacker that I caught into my server..
Seems to work better, check it out :wub2:

---

ok.. i read throught it.. and it is ok..

added these new lines

PHP Code:

---

//SQL injection got '--'
            if (is_int(strpos($v,'--')))
            {
                return $this->detect();
            **
            //SQL injection got ';'
            if (is_int(strpos($v,';')))
            {
                return $this->detect();
            ** 


---

just two quick hack detects... commonly used by the sql injectors. the program works without it.. but if somehow they pass thru the first check.. a second check would be useful...

this is also serves as a basis for new checks,. for anyone who want to add there own.

-- Ok ... This Anti Sql injection was design to protect ur forms in ur website.. and the mssql queries after u submit ur forms. ++ the other things i added two this post.. ur form should be we well protected.
But that doesnt mean ur website cant get hacked too... there is plenty of things they still can do, depending on the design the program flow of ur website.

Mutoolz V1 (unreleased) should sheed some light on some new and should have been implemented protections to any website.

My server got hacked this weekend. I am using IOD's php files.
1) Do I stop vulnerability against sql-injection when I close online registration?
2) What are Forms plz? Variables?? And how to protect them?
3) At the end I have to protect the email input (>14 characters)?
4) Tried this antisqlinjection yesterday. When I run the test, my MEMB_INFO was gone, :chair: not so funny :eh:
I am shure I made something wrong, but I don't get it where.
Here my code:

<?php
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
require 'config.php';
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
?>
<?php
$ps_loginname = stripslashes($_POST['ps_loginname']);
$ps_loginname = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
// this type of sql injection is trying to execute more SQL data

$sqlinject->test($ps_loginname);
$ps_name = stripslashes($_POST['ps_name']);
$sqlinject->test($ps_name);
.
.
.and so one.........

Quote:

---

Originally Posted by Z80

My server got hacked this weekend. I am using IOD's php files.
1) Do I stop vulnerability against sql-injection when I close online registration?
2) What are Forms plz? Variables?? And how to protect them?
3) At the end I have to protect the email input (>14 characters)?
4) Tried this antisqlinjection yesterday. When I run the test, my MEMB_INFO was gone, :chair: not so funny :eh:
I am shure I made something wrong, but I don't get it where.
Here my code:

<?php
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
require 'config.php';
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
?>
<?php
$ps_loginname = stripslashes($_POST['ps_loginname']);
$ps_loginname = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
// this type of sql injection is trying to execute more SQL data

$sqlinject->test($ps_loginname);
$ps_name = stripslashes($_POST['ps_name']);
$sqlinject->test($ps_name);
.
.
.and so one.........

---

ur problem.. is easy to see.
when u first got the variable.. $ps_loginname u set it to have the $_POST['ps_loginname'];
then on the next line u completely remove the POST with a normal and variable...

so the anti sql injection is thinking ok.. it wasnt really send from a login box (FORM) so the owner must have set it for me to run.. so the script runned the command.

Note: The Anti Sql injection was design to STOP POST and GET VARIABLES from being inserted with bad injections.

if u really wanna test .. change this

PHP Code:

---

$ps_loginname = stripslashes($_POST['ps_loginname']);
$ps_loginname = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%"; 


---

into this

PHP Code:

---

$_POST['ps_loginname'] = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%"; 
$ps_loginname = stripslashes($_POST['ps_loginname']); 


---

1) OK, now I've got this - sqlinject is working fine now!
2) Now the forms: :eh:
You wrote this at the beginning:

Put this on ur a File Ur targeting as an Action on a form.

PHP Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
I really don't understand what do you mean. Could you give an exaple, plz?

3) Do you have a recomendation for good book, where I can learn this?
I feel so stupid and helpless with all this php (and its so familiar with C++)

Thanks a lot for your patience.

Anyway no matter how perfect are php scripts if you have port 55960 open for incoming data to dataserver.exe you are full open for any update on table character and warehouse

Then that would be Sql Injection Dude.. then that would be Packet Injection.. which is an entirely new topic (.. though there is way to stop that )

anyway...

Quote:

---

PHP Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**

---

that piece of code is used on target pages for forms.

lets say u have pk.php (a file there they enter their username and character name to submit for pk clear) let say absulote path to pk.ph is http://www.mywebsite.com/pk.php

and u then have pkok.php ( a file wer all the mssql queries are put, and is the target for the pk.php)
lets say again the absolute path is http://www.mywebsite.com/pkok.php

the main problem with sql injection is that they can save ur file which is pk.php to there computers and edit it anyway they can. so any limitation u set on the pk.php file .. will no longer take effect.

to solve this problem we add this like to pkok.php

Quote:

---

if (stristr($_SERVER['HTTP_REFERER'], 'http://www.mywebsite.com/pk.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**

---

wat this does it.. if the website who sumbit the form is not ur own pk.php and not their edit version. THis will stop it dead.

Do I have to check after every $_POST, or do I have to check it only once?
Last problem is the function filelogs:

function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$dtime = date('r');

if($ref == ""){
$ref = "None";
** What for those asterix?
if($user == ""){
$user = "None";
** What for those asterix?
$location = "/";
$type = $location . $type . ".txt";
$entry_line = "$dtime - IP: $ip | Agent: $agent | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n";
$fp = fopen("$type", "a");
fputs($fp, $entry_line);
fclose($fp);
**
Where do I have to declare this function as a global function and how? :eh:

We are almost through! :thumbup:
Anyway you did a great job! :icon6: :icon6:

Quote:

---

Originally Posted by doorf

Anyway no matter how perfect are php scripts if you have port 55960 open for incoming data to dataserver.exe you are full open for any update on table character and warehouse

---

Whithout search buttom, its very hard to find those threads! :eh:

I suppose my server was hacked with packet injection.
They could retrieve their passwords, after I changed them.
I am using Sygate Firewall and port for DS1 is open! If I close it, players cannot connect anymore. Is there a way to configure the firewall to block only incoming trafic?

those two asteris (**) are really close braces ... this forum disables them.. i have no idea why.. (protection maybe)

to declare a function.. u must either include them in ur header file or put them on the very top of ur php page right below the <? (which would mean php code starts here)

on using them.. is easy.. just stick to the example.

Thx, with your help I got everything running. :thumbup: Now my tests:

I tried to inject my server. I entered this:
Login ID: "update
Name: character;
E-mail: set clevel='350' where Name='WurliWiz'
Password: sepp
Recovery Question: a
Recovery Answer: b
Number: 11111111111

and got this bunch of warnings:

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: strpos(): Empty delimiter. in c:\appserv\www\sql_inject.php on line 137

Warning: mssql_query(): message: Line 1: Incorrect syntax near '350'. (severity 15) in c:\appserv\www\idreg.php on line 111

Warning: mssql_query(): Query failed in c:\appserv\www\idreg.php on line 111

Warning: mssql_num_rows(): supplied argument is not a valid MS SQL-result resource in c:\appserv\www\idreg.php on line 113

Warning: mssql_query(): message: Line 1: Incorrect syntax near '350'. (severity 15) in c:\appserv\www\idreg.php on line 143

Warning: mssql_query(): Query failed in c:\appserv\www\idreg.php on line 143

Your account has been created succesfully:

The account was not greated! Nothing happened. Execpt the ugly warnings, which are showing the file names of the pages.
If I understood correctly, the function sqlinject should detect the '#' as a forbidden character and also the rest of the words who are all in the ban list, and should move to index.php.
But this is not the case.
Are I just a stupid "hacker" or whats wrong? :animal_ro

thats not how to hack ur server.. those are causing errors in ur script. which should be stop before any sql injection test should be done.

Learn how to filter ur entries.

Quote:

---

Originally Posted by john_d

thats not how to hack ur server.. those are causing errors in ur script. which should be stop before any sql injection test should be done.

Learn how to filter ur entries.

---

The problem is in sqlinject, not in the register script!
If you just put as loginname: 'select' your script has troubles.
It goes wrong here:
function _in_post($value)
{
foreach($_POST as $i => $v)
{
if (is_int(strpos(strtolower($v),$value))) return TRUE;
**
return FALSE;
What has to be filtered from the string before you can send it to sqlinject?

I know I am a pain in the a... , but I try just learning and understanding, like most of us here. :eh:

The function sqlinject has those problems with the characters ; and '

if i had a choice i would stop all kind of signatures for Sql injection.. problem.. u can only do so much cause the game engine allows so many characters. to be used

I was not quite right! :eh: the ; is working. So is just the ' left.
So we have to chek this at reg.php site. Should be a minor problem :icon6:
Again, you did really a great job, and this threat must be a sticky. Just look, how many readers you have here! :thumbup:

like i said before.. should reduce.. sql injection by 80%... but there is still ways to hack the website..

some new protections i came up with should solve it.. hehehhe

please help me !
i need the code to edit reset.asp with CHAOS or Creation .That means I need the web page to reset by CHAOS or Creation :3dflagsdo Please sent mail or Attch Files reset.asp for my email : lamhuy998@yahoo.com
Thank you very much :animal_ro

that is sick

John_d,
Thanks for the solution. But i have trouble understanding... I have read the sample and still having problem. Can u be kind enough to show me i sample (the one i uplad) and i can do the rest myself. TIA. :chair:

john_d why when i added the script in my registration script it dropping me always back?: here is the code:


<html>
<head>
<LINK REL="StyleSheet" HREF="style.css" TYPE="text/css">
</head>
<body>
<?PHP include("config.php");
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
?>
<table border="0" cellspacing="0" cellpadding="0" width="480">
<tr>
<td>
<TABLE width="480" height=100% border=0 align=center cellPadding=5 cellSpacing=1 bgcolor="#ffffff">
<TBODY>
<TR bgcolor="#ffffff" class="content">
<TD colSpan=2 align=right> <div align="center" class="bigf Estilo5">
<?php
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
require 'config.php';
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
?>
<?php
$_POST['ps_loginname'] = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
$ps_loginname = stripslashes($_POST['ps_loginname']);
$sqlinject->test($ps_loginname);
$ps_name = stripslashes($_POST['ps_name']);
$sqlinject->test($ps_name);
$ps_email = stripslashes($_POST['ps_email']);
$ps_person_id = stripslashes($_POST['ps_person_id']);
$ps_password = stripslashes($_POST['ps_password']);
$ps_repassword = stripslashes($_POST['ps_repassword']);
$ps_recquest = stripslashes($_POST['ps_recquest']);
$ps_recans = stripslashes($_POST['ps_recans']);
$extcode = stripslashes($_POST['extcode']);
$extcode1 = stripslashes($_POST['extcode1']);
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
$sql_email_check = mssql_query("SELECT mail_addr FROM MEMB_INFO WHERE mail_addr='$ps_email'");
$sql_username_check = mssql_query("SELECT memb___id FROM MEMB_INFO WHERE memb___id='$ps_loginname'");
$email_check = mssql_num_rows($sql_email_check);
$username_check = mssql_num_rows($sql_username_check);

if (empty($ps_loginname) || empty($ps_name) || empty($ps_email) || empty($ps_person_id) || empty($ps_password) || empty($ps_repassword) || empty($ps_recquest) || empty($ps_recans) || empty($extcode) || empty($extcode1)) {
echo "Please fix the following error:<br />Some fields were left blank. Please go back and try again."; $Error=1;
**
elseif (($email_check > 0) || ($username_check > 0)){
echo "Please fix the following errors: <br />";
if($email_check > 0){
echo "<strong>Your email address has already been used by another member
in our database. Please submit a different Email address!<br />";
$Error=1;
**
if ($username_check > 0){
echo "The username you have selected has already been used by another member
in our database. Please choose a different Username!<br />";
$Error=1;
**
**
elseif ($ps_password != $ps_repassword) {
echo "Please fix the following error:<br />The passwords you entered do not match."; $Error=1;
**
elseif ($extcode != $extcode1) {
echo "Please fix the following error:<br />You entered a bad code."; $Error=1;
**
if ($Error!=1){
$msquery2 = "SET IDENTITY_INSERT MEMB_INFO ON";
$msquery3 = "INSERT INTO MEMB_INFO (memb_guid,memb___id,memb__pwd,memb_name,sno__numb,post_code,addr_info,addr_deta,tel__numb,mail_addr,phon_numb,fpas_ques,fpas_answ,job__code,appl_days,modi_days,out__days,true_days,mail_chek,bloc_code,ctl1_code) VALUES ('1','$ps_loginname','$ps_password','$ps_name', '1','1234','11111','ps_person_id','12343','$ps_email','$ps_email','$ps_recquest','$ps_recans','1','2003-11-23','2003-11-23','2003-11-23','2003-11-23','1','0','1')";
$msquery4 = "INSERT INTO VI_CURR_INFO (ends_days,chek_code,used_time,memb___id,memb_name,memb_guid,sno__numb,Bill_Section,Bill_value,Bill_Hour,Surplus_Point,Surplus_Minute,Increase_Days ) VALUES ('2005','1',1234,'$ps_loginname','$ps_name',1,'7','6','3','6','6','2003-11-23 10:36:00','0' )";
$msresults= mssql_query($msquery2);
$msresults= mssql_query($msquery3);
$msresults= mssql_query($msquery4);
?>
</div></TD>
</TR>
<div align="center">
<TR bgcolor="#ffffff" class="content"><TD height=2 colSpan=2 align=center>Your account has been created succesfully:<br></TD></TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Login ID:</DIV></TD>
<TD width="354"><B><?php print "$ps_loginname"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Name:</DIV></TD>
<TD width="354"><B><?php print "$ps_name"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>E-mail:</DIV></TD>
<TD width="354"><B><?php print "$ps_email"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Password:</DIV></TD>
<TD width="354"><B><?php print "$ps_password"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Recovery Question:</DIV></TD>
<TD width="354"><B><?php print "$ps_recquest"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Recovery Answer:</DIV></TD>
<TD width="354"><B><?php print "$ps_recans"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Number:</DIV></TD>
<TD width="354"><B><?php print "$ps_person_id"; ?></B>
<DIV align=center></DIV></TD>
</TR>
</div>
</TABLE>
</td>
</tr>
</table>
</body>
</html>
<?php
**
?>

ok here s the deal..my new website has a token verifier script encoded in every form/s in th website. it will stop anyone from hacking the server.. even without an sql injection script,

stripslashes() only handles ANSI C escapes (ie: will convert a \n to a carriage return / line feed or LF only, depending on platform).
you need to add an extra function there - i can't think of a fast implementation, but something like this should do it:

A) define the following function at the beginning of the php code:

Code:

---

function checklegal($var) {
        $illegal=array("'","\\",";","/","@","#","$","~","`","%","^","*");
        for($i=0;$i<strlen($var);$i++) {
          if(in_array($var[$i],$illegal)) return false;
        **;
        return true;
 **;

---

The chars in that array should handle anything that could be an escape for the SQL interpreter that would lead to a crash.

B) For each field in your code, before executing sql queries, add something like:

Code:

---

if(!checklegal($var)) { die("Illegal character used, please use only A-Z and 0-9"); **;

---

In the sample above, $var is each variable passed to the form processor (your php script).

Another good thing is to check the length of the strings. In order to exec an injection statement, more chars are needed than you need. A 20-char string should be fine enough. So, for string variables (such as username, password, etc), you should be doing something like:

Code:

---

if(strlen($var)>20) die("Too many characters");

---

You can also limit their dimension from the HTML form's input parameter, but there's a way to send data to your form processor other than your webpage, so what's safe is safe.

john_d? where is your site ? i need a site wich cant be hacked by slq injection plz. or help me to fix mine... i posted already the script, whats wrong there?

Quote:

---

Originally Posted by porkmaster

stripslashes() only handles ANSI C escapes (ie: will convert a \n to a carriage return / line feed or LF only, depending on platform).
you need to add an extra function there - i can't think of a fast implementation, but something like this should do it:

A) define the following function at the beginning of the php code:

Code:

---

function checklegal($var) {
        $illegal=array("'","\\",";","/","@","#","$","~","`","%","^","*");
        for($i=0;$i<strlen($var);$i++) {
          if(in_array($var[$i],$illegal)) return false;
        **;
        return true;
 **;

---

The chars in that array should handle anything that could be an escape for the SQL interpreter that would lead to a crash.

B) For each field in your code, before executing sql queries, add something like:

Code:

---

if(!checklegal($var)) { die("Illegal character used, please use only A-Z and 0-9"); **;

---

In the sample above, $var is each variable passed to the form processor (your php script).

Another good thing is to check the length of the strings. In order to exec an injection statement, more chars are needed than you need. A 20-char string should be fine enough. So, for string variables (such as username, password, etc), you should be doing something like:

Code:

---

if(strlen($var)>20) die("Too many characters");

---

You can also limit their dimension from the HTML form's input parameter, but there's a way to send data to your form processor other than your webpage, so what's safe is safe.

---

A variable checker / verifier is all good. and should always be kept inmind when making website.

and as for them sending data from another site (CROSS SITE SCRIPTING), i think i have solved it, by token verifying all forms.

- my latest release is here http://www.supamu.info/downloads/Supaman

wich one is best protect, say me wich one couse you wont help me fix my problem, ill download your site :P say just wich is most protected ofrom the sql-injection. tnx

john_d please help please answer.

in sql_inject.php error: Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in c:\AppServ\www\reg\sql_inject.php on line 145

FINALLY I GOT THE ANTI-SQL INJECTION SCRIPT WORKING! 1 more question! i have site reg.php its site with the forms and targeting site is idreg.php so i need to add in idreg.php this lines:

if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**


BUT in wich part of it i must add them ? please answer ASAP

Quote:

---

Originally Posted by graywolf

FINALLY I GOT THE ANTI-SQL INJECTION SCRIPT WORKING! 1 more question! i have site reg.php its site with the forms and targeting site is idreg.php so i need to add in idreg.php this lines:

if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**


BUT in wich part of it i must add them ? please answer ASAP

---

Just at the beginning, right after the <? tag.

i tried it already but then appears the error: Parse error: parse error, unexpected '*' in c:\AppServ\www\reg\idreg.php on line 17

my script:

<?php
if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'hack.htm';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;


sure i'm putting the real adress of file not the http://my.website.com/reg.php but why the error appears? answer please asap.

Remove the two asterisks, they're only messing the code. Or comment them by preceding that line with a //.

i deleted them but appeared this error:

Parse error: parse error, unexpected $end in c:\AppServ\www\reg\idreg.php on line 132

without that two lines:

if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );

all worked fine, i want make this anti hack too very very much. please help fix. error.

And how should I know what's around line 132 in your script?
Make a paste of lines 125-140 and we'll see where's the trouble.

Here this lines: 125~132:
</td>
</tr>
</table>
</body>
</html>
<?php
**
?>

and i wanted to attach the script to see easier but seems its not working so i uploaded it here: http://r.hopto.org/idreg.zip

reply asap, i am here online. tnx.

What I see in the script you've put above for download is:

Code:

---

<?php
**
?>

---

at the bottom of the file.
However, even if it's a "**" or "**", the last 3 lines should be removed because they don't seem to do anything at all but messing with your code, unless that script is somehow processed by another scrip with evals, which I don't think it's the case, so try removing the last 3 lines too and check out if it works.

Edit: in here it appears as **, but apparently it's about a pair of curly braces.

i deleted last 3 lines: left this
</div>
</TABLE>
</td>
</tr>
</table>
</body>
</html>


but appears same error! By the way, (Returning to the anti-sql injection script) how i understood it just logs the input string like ' ; Drop table Character or something like that, but not stops it, is there any way to stop the action too?, because it just logs the input in a file log_file_sql.log and redirrecting to the hack.htm as you see.. but the action is not stopping for example, i will type ' ; Drop table Character ---, i will be logged in the file like:
"29-12-2004 17:07:23 [\' ; drop table character---] from MY_IP"
Redirrected to the hack.htm and the action still will not be stopped >> Character table will be dropped from the database, is the way to stop the action too ? Sorry if too much questions but i really want to make antihack. Thank you for understanding me.

Here's your fixed file.