v15 register script with sql injection protection

I made a website that can support v15 official files those files includes some protection from sql injections not like the others
This website looks really nice shiny and blue you must try it :)
before to get the website working you need to extract my sql table to sql first to make the website work.
V15 ONLY!!!

download link:
MEGAUPLOAD - The leading online storage and file delivery service
password is:borkaman

Dont forget to edit the confings in index.php!!!

If you can make me a favore please make a screenshot of your website that up and running because i formatted my pc and i am too lazy to install all over again XD
i will apriciate that alot thanks!

Re: v15 register script with sql injection protection

imma try this out.

Re: v15 register script with sql injection protection

Wanna bet i sql Inject it? D:<

Source pretty unstable.

Preg_match doesn't hold on to SqlInjects in HEX.

Re: v15 register script with sql injection protection

This script is still injectable. I suggest you actually use a good anti-injection script, instead of using a preg_replace.

Re: v15 register script with sql injection protection

Quote:

Originally Posted by Apixenz

This script is still injectable. I suggest you actually use a good anti-injection script, instead of using a preg_replace.

preg_replace however DOES stop injections, u just need to know what to replace.

@ Topic. Use mine..

PHP Code:

function AntiSql($sql) { $maxattempts = 5; // Max Attempts. Some users accidently put in various characters which this disables. $oldstring = $sql; // String user inputted $sql = preg_replace(sql_regcase("(select|union|0x|cast|exec|varchar|insert into|delete from|update account|update login|update character|ugradeid|drop table|show tables)"),"",$sql); // Too lazy to explain this $sql = trim($sql); // '" $sql = strip_tags($sql); // "" $sql = addslashes($sql); // "" if($oldstring != $sql){ // Check if user input string != the edited one. $myip = $_SERVER['REMOTE_ADDR']; // Get UsersIP $file = fopen('inc/sqllog.log','a+'); // Open Logfile $date = date('d-m-y H:i:s',time()); // Structure time fwrite($file,"(".$date.") (".$myip.") Value: ".$oldstring." New Value: ".$sql."\r\n"); // Write it to a log. $read = file_get_contents('inc/sqllog.log'); // Read the contents fclose($file); if(substr_count($read,$myip) >= $maxattempts){ // Count the attempts, if its higher than specified do the following. $file2 = fopen('inc/ipbans.txt','a+'); $read2 = file_get_contents('inc/ipbans.txt'); // Get the banned IP's if(substr_count($read2,$myip) < 1){ // If the IP isnt on the list, Add it. fwrite($file2,"".$myip.";"); } else { $ipbans = explode(';',$read2); // Get each banned IP $file3 = fopen('.htaccess','w'); // Open .htaccess fwrite($file3,"order allow,deny\r\n"); // Standard form to disables IP's $int = 0; // too lazy to use foreach() $ipcount = count($ipbans)-1; // Read underneath. /* This splits the ipbans.txt in ; So if its like 127.0.0.1;87.209.160.22; It would output 3. and not 2. */ while($int != $ipcount){ // Loop for banned IP's fwrite($file3,"deny from ".$ipbans[$int]."\r\n"); // Deny Them. $int++; } fwrite($file3,"allow from all"); // End the .htaccess fclose($file3); } } } return $sql; // Return edited value. } $url = $_SERVER['REQUEST_URI']; // Get URL if($url != AntiSql($url)){ // If its invalid.. die('hacking attempt'); // Hacking attempt? }

U can actually create a AntiSql in 1 line.. Just.. i like it more advanced.

IPBans user after x attempts in .htaccess.

You might need to add a .htaccess in ur main folder.
Also dont forget to add a new directory called 'inc' if u dont have it.

Just make a Functions.php
Include it into the header of the index.php.

Invulnerable for POST injection and GET injection.

PS. Dont blame that i dont use PHP5.
I only use PHP4 cuz of the structure. PHP5 makes me blind while looking at the script.

Re: v15 register script with sql injection protection

It works great.

Re: v15 register script with sql injection protection

Quote:

Originally Posted by sayuta

preg_replace however DOES stop injections, u just need to know what to replace.

@ Topic. Use mine..

PHP Code:

function AntiSql($sql) { $maxattempts = 5; // Max Attempts. Some users accidently put in various characters which this disables. $oldstring = $sql; // String user inputted $sql = preg_replace(sql_regcase("(select|union|0x|cast|exec|varchar|insert into|delete from|update account|update login|update character|ugradeid|drop table|show tables)"),"",$sql); // Too lazy to explain this $sql = trim($sql); // '" $sql = strip_tags($sql); // "" $sql = addslashes($sql); // "" if($oldstring != $sql){ // Check if user input string != the edited one. $myip = $_SERVER['REMOTE_ADDR']; // Get UsersIP $file = fopen('inc/sqllog.log','a+'); // Open Logfile $date = date('d-m-y H:i:s',time()); // Structure time fwrite($file,"(".$date.") (".$myip.") Value: ".$oldstring." New Value: ".$sql."\r\n"); // Write it to a log. $read = file_get_contents('inc/sqllog.log'); // Read the contents fclose($file); if(substr_count($read,$myip) >= $maxattempts){ // Count the attempts, if its higher than specified do the following. $file2 = fopen('inc/ipbans.txt','a+'); $read2 = file_get_contents('inc/ipbans.txt'); // Get the banned IP's if(substr_count($read2,$myip) < 1){ // If the IP isnt on the list, Add it. fwrite($file2,"".$myip.";"); } else { $ipbans = explode(';',$read2); // Get each banned IP $file3 = fopen('.htaccess','w'); // Open .htaccess fwrite($file3,"order allow,deny\r\n"); // Standard form to disables IP's $int = 0; // too lazy to use foreach() $ipcount = count($ipbans)-1; // Read underneath. /* This splits the ipbans.txt in ; So if its like 127.0.0.1;87.209.160.22; It would output 3. and not 2. */ while($int != $ipcount){ // Loop for banned IP's fwrite($file3,"deny from ".$ipbans[$int]."\r\n"); // Deny Them. $int++; } fwrite($file3,"allow from all"); // End the .htaccess fclose($file3); } } } return $sql; // Return edited value. } $url = $_SERVER['REQUEST_URI']; // Get URL if($url != AntiSql($url)){ // If its invalid.. die('hacking attempt'); // Hacking attempt? }

U can actually create a AntiSql in 1 line.. Just.. i like it more advanced.

IPBans user after x attempts in .htaccess.

You might need to add a .htaccess in ur main folder.
Also dont forget to add a new directory called 'inc' if u dont have it.

Just make a Functions.php
Include it into the header of the index.php.

Invulnerable for POST injection and GET injection.

PS. Dont blame that i dont use PHP5.
I only use PHP4 cuz of the structure. PHP5 makes me blind while looking at the script.

I mean... preg_replace is useful, but he should use a GOOD array, a GOOD function, etc. Just a ol' preg_replace on EACH line makes it look bad.

Re: v15 register script with sql injection protection

Nice work dude :)

Re: v15 register script with sql injection protection

Quote:

Originally Posted by Apixenz

I mean... preg_replace is useful, but he should use a GOOD array, a GOOD function, etc. Just a ol' preg_replace on EACH line makes it look bad.

Exactly.

Re: v15 register script with sql injection protection

Hello, i get this error in my SQL

Msg 208, Level 16, State 6, Procedure FlyffRegister, Line 20
Invalid object name 'dbo.FlyffRegister'.

Re: v15 register script with sql injection protection

Quote:

Originally Posted by sayuta

preg_replace however DOES stop injections, u just need to know what to replace.

@ Topic. Use mine..

PHP Code:

function AntiSql($sql) { $maxattempts = 5; // Max Attempts. Some users accidently put in various characters which this disables. $oldstring = $sql; // String user inputted $sql = preg_replace(sql_regcase("(select|union|0x|cast|exec|varchar|insert into|delete from|update account|update login|update character|ugradeid|drop table|show tables)"),"",$sql); // Too lazy to explain this $sql = trim($sql); // '" $sql = strip_tags($sql); // "" $sql = addslashes($sql); // "" if($oldstring != $sql){ // Check if user input string != the edited one. $myip = $_SERVER['REMOTE_ADDR']; // Get UsersIP $file = fopen('inc/sqllog.log','a+'); // Open Logfile $date = date('d-m-y H:i:s',time()); // Structure time fwrite($file,"(".$date.") (".$myip.") Value: ".$oldstring." New Value: ".$sql."\r\n"); // Write it to a log. $read = file_get_contents('inc/sqllog.log'); // Read the contents fclose($file); if(substr_count($read,$myip) >= $maxattempts){ // Count the attempts, if its higher than specified do the following. $file2 = fopen('inc/ipbans.txt','a+'); $read2 = file_get_contents('inc/ipbans.txt'); // Get the banned IP's if(substr_count($read2,$myip) < 1){ // If the IP isnt on the list, Add it. fwrite($file2,"".$myip.";"); } else { $ipbans = explode(';',$read2); // Get each banned IP $file3 = fopen('.htaccess','w'); // Open .htaccess fwrite($file3,"order allow,deny\r\n"); // Standard form to disables IP's $int = 0; // too lazy to use foreach() $ipcount = count($ipbans)-1; // Read underneath. /* This splits the ipbans.txt in ; So if its like 127.0.0.1;87.209.160.22; It would output 3. and not 2. */ while($int != $ipcount){ // Loop for banned IP's fwrite($file3,"deny from ".$ipbans[$int]."\r\n"); // Deny Them. $int++; } fwrite($file3,"allow from all"); // End the .htaccess fclose($file3); } } } return $sql; // Return edited value. } $url = $_SERVER['REQUEST_URI']; // Get URL if($url != AntiSql($url)){ // If its invalid.. die('hacking attempt'); // Hacking attempt? }

U can actually create a AntiSql in 1 line.. Just.. i like it more advanced.

IPBans user after x attempts in .htaccess.

You might need to add a .htaccess in ur main folder.
Also dont forget to add a new directory called 'inc' if u dont have it.

Just make a Functions.php
Include it into the header of the index.php.

Invulnerable for POST injection and GET injection.

PS. Dont blame that i dont use PHP5.
I only use PHP4 cuz of the structure. PHP5 makes me blind while looking at the script.

how this one work's?

Re: v15 register script with sql injection protection

Quote:

Originally Posted by Carbohydrates

how this one work's?

Just make ur POSTS into AntiSql($_POST['something']);

rest i explained >_>"

Re: v15 register script with sql injection protection

this script its still injectable x.x

Re: v15 register script with sql injection protection

sayuta Can i have some complete script

Re: v15 register script with sql injection protection

Clarifying Something:

To protect against SQL injections it is called learn how to code. It's maybe 2? or 3 native PHP functions to block it (if you are using native PHP functions)? Really takes no skill, for anyone who says they can do it and think they're all mighty; they could easily be as skiddie as you.