Printable View
Well I want a registro.php, config.php, ranking in the clan and player with a php function 100% anti Inject SQL,
that is if n is asking too much :rolleyes:
This would help many people who come and hackiado and even myself ... :closedeyes:
Thanks in advance.
This post was translated with Google translator, I am Brazilian and I do not see a lot of English.
learn how to use the search button some time?
ok ok here you go
PHP Code:function antisql($sql) {
$sql = preg_replace(sql_regcase("(select|union|0x|cast|exec|varchar|insert into|delete from|update account|update login|update character|ugradeid|drop table|show tables)"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
return $sql;
}
Sigh, how much will you kiddies have to be reminded that the above can create problems in many varying scenarios, and actually will waste system resources?Quote:
Originally Posted by ~Fallen
A less resource-intensive option:
Written by yours truly, credits not really needed considering the simplicity of it.Code:function sanitize_data ( $sql ) {
return preg_replace( "/[^a-zA-Z0-9 ]/i", "", $sql );
}
[/code]
And to skip Wizkidje from complaining, here's the escaping for single/double quotes, backslashes, and tags:
With comments and decent spacing, for readability:Code:function sanitize ( $data ) {
if ( ! get_magic_quotes_gpc ( ) )
$data = preg_replace ( Array ( '/[\\\[\]]/', '/\'/', '/"/' ), Array ( '\\', '\\\'', '\"' ), $data );
$data = preg_replace ( Array ( '/[\>]/', '/[\<]/' ), Array ( '>', '<' ), $data );
return $data;
}
Code:function sanitize ( $data )
{
if ( ! get_magic_quotes_gpc ( ) ) // If sanitizing for databasing isn't done..
$data = preg_replace ( Array ( '/[\\\[\]]/', '/\'/', '/"/' ), Array ( '\\', '\\\'', '\"' ), $data ); // ..do so
$data = preg_replace ( Array ( '/[\>]/', '/[\<]/' ), Array ( '>', '<' ), $data ); // Escape tags to prevent tag-injection
return $data;
}
hmmn i admit your right,,
I am no pro at PHP and Anti SQL injection.... But why not just block certain symbols that are needed for SQL Injection methods from any inputs.
Then do it.Quote:
Originally Posted by Shockdot1
And add all the other SQL inputs (") ('), etc..PHP Code:<?PHP
if( $userid == "x'" ) die ("I see you there.");
?>
But it's not a verry safe way. There are numerous ways of stoping SQL injections; but the one posted above is better.
Or just make the password feild not allow more that 9 characters. (Stopping a full SQL query.) Once again. It's not that good.
That is done - but sometimes, those symbols are desired by the user, which is why you can escape the symbols (e.g.: A single quote turns to a single quote with a backslash before it, so that the database knows to accept is as part of the data, not part of the query to be executed).Quote:
Originally Posted by Shockdot1
That's not how you would do it - more so, it would be using regex to find if any non-permitted symbol (Which probably would only be a-z, A-Z, and 0-9) is found, and if so, to return an error.Quote:
Originally Posted by Team Leopard
What I've posted is just a common way of blocking a symbol/word/frase, it can be used anywhere in any feild. And it dosen't really have to return to an error - a simple die(); can do it.Quote:
Originally Posted by gWX0
But if you're 'aiming for perfection' yes, you would use a regex.
So that would be better than the one you originally said to use? Or does it matter? :PQuote:
Originally Posted by gWX0
I'm talking about
Code:function sanitize_data ( $sql ) {
return preg_replace( "/[^a-zA-Z0-9 ]/i", "", $sql );
}
That function does it all, great release.Quote:
Originally Posted by gWX0
-edit-
Well, that function isn't good enough. Query's will still work.
They will where quotes aren't used - to prevent attacks of that form, you'd have to remove spaces.Quote:
Originally Posted by Wizkidje
Other than that, I didn't test the function at all - if something is escaped improperly, feel free to modify and re-post as needed.