Anti Sql Injection Protection

[cwquek]

John_d,
Thanks for the solution. But i have trouble understanding... I have read the sample and still having problem. Can u be kind enough to show me i sample (the one i uplad) and i can do the rest myself. TIA. :chair:

 

[graywolf]

john_d why when i added the script in my registration script it dropping me always back?: here is the code:


<html>
<head>
<LINK REL="StyleSheet" HREF="style.css" TYPE="text/css">
</head>
<body>
<?PHP include("config.php");
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
?>
<table border="0" cellspacing="0" cellpadding="0" width="480">
<tr>
<td>
<TABLE width="480" height=100% border=0 align=center cellPadding=5 cellSpacing=1 bgcolor="#ffffff">
<TBODY>
<TR bgcolor="#ffffff" class="content">
<TD colSpan=2 align=right> <div align="center" class="bigf Estilo5">
<?php
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;
require 'config.php';
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
?>
<?php
$_POST['ps_loginname'] = "%%'; drop table memb_info ; update character set clevel = 350 where name = '%%";
$ps_loginname = stripslashes($_POST['ps_loginname']);
$sqlinject->test($ps_loginname);
$ps_name = stripslashes($_POST['ps_name']);
$sqlinject->test($ps_name);
$ps_email = stripslashes($_POST['ps_email']);
$ps_person_id = stripslashes($_POST['ps_person_id']);
$ps_password = stripslashes($_POST['ps_password']);
$ps_repassword = stripslashes($_POST['ps_repassword']);
$ps_recquest = stripslashes($_POST['ps_recquest']);
$ps_recans = stripslashes($_POST['ps_recans']);
$extcode = stripslashes($_POST['extcode']);
$extcode1 = stripslashes($_POST['extcode1']);
$msconnect=mssql_connect("$dbhost","$dbuser","$dbpasswd");
$msdb=mssql_select_db("MuOnline",$msconnect);
$sql_email_check = mssql_query("SELECT mail_addr FROM MEMB_INFO WHERE mail_addr='$ps_email'");
$sql_username_check = mssql_query("SELECT memb___id FROM MEMB_INFO WHERE memb___id='$ps_loginname'");
$email_check = mssql_num_rows($sql_email_check);
$username_check = mssql_num_rows($sql_username_check);

if (empty($ps_loginname) || empty($ps_name) || empty($ps_email) || empty($ps_person_id) || empty($ps_password) || empty($ps_repassword) || empty($ps_recquest) || empty($ps_recans) || empty($extcode) || empty($extcode1)) {
echo "Please fix the following error:<br />Some fields were left blank. Please go back and try again."; $Error=1;
**
elseif (($email_check > 0) || ($username_check > 0)){
echo "Please fix the following errors: <br />";
if($email_check > 0){
echo "<strong>Your email address has already been used by another member
in our database. Please submit a different Email address!<br />";
$Error=1;
**
if ($username_check > 0){
echo "The username you have selected has already been used by another member
in our database. Please choose a different Username!<br />";
$Error=1;
**
**
elseif ($ps_password != $ps_repassword) {
echo "Please fix the following error:<br />The passwords you entered do not match."; $Error=1;
**
elseif ($extcode != $extcode1) {
echo "Please fix the following error:<br />You entered a bad code."; $Error=1;
**
if ($Error!=1){
$msquery2 = "SET IDENTITY_INSERT MEMB_INFO ON";
$msquery3 = "INSERT INTO MEMB_INFO (memb_guid,memb___id,memb__pwd,memb_name,sno__numb,post_code,addr_info,addr_deta,tel__numb,mail_addr,phon_numb,fpas_ques,fpas_answ,job__code,appl_days,modi_days,out__days,true_days,mail_chek,bloc_code,ctl1_code) VALUES ('1','$ps_loginname','$ps_password','$ps_name', '1','1234','11111','ps_person_id','12343','$ps_email','$ps_email','$ps_recquest','$ps_recans','1','2003-11-23','2003-11-23','2003-11-23','2003-11-23','1','0','1')";
$msquery4 = "INSERT INTO VI_CURR_INFO (ends_days,chek_code,used_time,memb___id,memb_name,memb_guid,sno__numb,Bill_Section,Bill_value,Bill_Hour,Surplus_Point,Surplus_Minute,Increase_Days ) VALUES ('2005','1',1234,'$ps_loginname','$ps_name',1,'7','6','3','6','6','2003-11-23 10:36:00','0' )";
$msresults= mssql_query($msquery2);
$msresults= mssql_query($msquery3);
$msresults= mssql_query($msquery4);
?>
</div></TD>
</TR>
<div align="center">
<TR bgcolor="#ffffff" class="content"><TD height=2 colSpan=2 align=center>Your account has been created succesfully:<br></TD></TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Login ID:</DIV></TD>
<TD width="354"><B><?php print "$ps_loginname"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Name:</DIV></TD>
<TD width="354"><B><?php print "$ps_name"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>E-mail:</DIV></TD>
<TD width="354"><B><?php print "$ps_email"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Password:</DIV></TD>
<TD width="354"><B><?php print "$ps_password"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Recovery Question:</DIV></TD>
<TD width="354"><B><?php print "$ps_recquest"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Recovery Answer:</DIV></TD>
<TD width="354"><B><?php print "$ps_recans"; ?></B>
<DIV align=center></DIV></TD>
</TR>
<TR bgcolor="#ffffff" class="content">
<TD width="88" align=right valign="top" bgcolor="#ffffff"> <DIV align=left>Number:</DIV></TD>
<TD width="354"><B><?php print "$ps_person_id"; ?></B>
<DIV align=center></DIV></TD>
</TR>
</div>
</TABLE>
</td>
</tr>
</table>
</body>
</html>
<?php
**
?>

 

[john_d]

ok here s the deal..my new website has a token verifier script encoded in every form/s in th website. it will stop anyone from hacking the server.. even without an sql injection script,

 

[porkmaster]

stripslashes() only handles ANSI C escapes (ie: will convert a \n to a carriage return / line feed or LF only, depending on platform).
you need to add an extra function there - i can't think of a fast implementation, but something like this should do it:

A) define the following function at the beginning of the php code:

 function checklegal($var) {
         $illegal=array("'","\\",";","/","@","#","$","~","`","%","^","*");
         for($i=0;$i<strlen($var);$i++) {
          if(in_array($var[$i],$illegal)) return false;
         **;
         return true;
 **;

The chars in that array should handle anything that could be an escape for the SQL interpreter that would lead to a crash.

B) For each field in your code, before executing sql queries, add something like:

 if(!checklegal($var)) { die("Illegal character used, please use only A-Z and 0-9"); **;

In the sample above, $var is each variable passed to the form processor (your php script).

Another good thing is to check the length of the strings. In order to exec an injection statement, more chars are needed than you need. A 20-char string should be fine enough. So, for string variables (such as username, password, etc), you should be doing something like:

 if(strlen($var)>20) die("Too many characters");

You can also limit their dimension from the HTML form's input parameter, but there's a way to send data to your form processor other than your webpage, so what's safe is safe.

 

[graywolf]

john_d? where is your site ? i need a site wich cant be hacked by slq injection plz. or help me to fix mine... i posted already the script, whats wrong there?

 

[john_d]

stripslashes() only handles ANSI C escapes (ie: will convert a \n to a carriage return / line feed or LF only, depending on platform).
you need to add an extra function there - i can't think of a fast implementation, but something like this should do it:

A) define the following function at the beginning of the php code:

 function checklegal($var) {
         $illegal=array("'","\\",";","/","@","#","$","~","`","%","^","*");
         for($i=0;$i<strlen($var);$i++) {
          if(in_array($var[$i],$illegal)) return false;
         **;
         return true;
 **;

The chars in that array should handle anything that could be an escape for the SQL interpreter that would lead to a crash.

B) For each field in your code, before executing sql queries, add something like:

 if(!checklegal($var)) { die("Illegal character used, please use only A-Z and 0-9"); **;

In the sample above, $var is each variable passed to the form processor (your php script).

Another good thing is to check the length of the strings. In order to exec an injection statement, more chars are needed than you need. A 20-char string should be fine enough. So, for string variables (such as username, password, etc), you should be doing something like:

 if(strlen($var)>20) die("Too many characters");

You can also limit their dimension from the HTML form's input parameter, but there's a way to send data to your form processor other than your webpage, so what's safe is safe.

A variable checker / verifier is all good. and should always be kept inmind when making website.

and as for them sending data from another site (CROSS SITE SCRIPTING), i think i have solved it, by token verifying all forms.

- my latest release is here

You must be registered to see links

 

[graywolf]

wich one is best protect, say me wich one couse you wont help me fix my problem, ill download your site say just wich is most protected ofrom the sql-injection. tnx

 

[graywolf]

john_d please help please answer.

 

[graywolf]

in sql_inject.php error: Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in c:\AppServ\www\reg\sql_inject.php on line 145

 

[graywolf]

FINALLY I GOT THE ANTI-SQL INJECTION SCRIPT WORKING! 1 more question! i have site reg.php its site with the forms and targeting site is idreg.php so i need to add in idreg.php this lines:

if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**


BUT in wich part of it i must add them ? please answer ASAP

 

[porkmaster]

FINALLY I GOT THE ANTI-SQL INJECTION SCRIPT WORKING! 1 more question! i have site reg.php its site with the forms and targeting site is idreg.php so i need to add in idreg.php this lines:

if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**


BUT in wich part of it i must add them ? please answer ASAP

Just at the beginning, right after the <? tag.

 

[graywolf]

i tried it already but then appears the error: Parse error: parse error, unexpected '*' in c:\AppServ\www\reg\idreg.php on line 17

 

[graywolf]

my script:

<?php
if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'hack.htm';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ;


sure i'm putting the real adress of file not the

You must be registered to see links

but why the error appears? answer please asap.

 

[porkmaster]

Remove the two asterisks, they're only messing the code. Or comment them by preceding that line with a //.

 

[graywolf]

i deleted them but appeared this error:

Parse error: parse error, unexpected $end in c:\AppServ\www\reg\idreg.php on line 132

without that two lines:

if (stristr($_SERVER['HTTP_REFERER'], 'http://my.website.com/reg.php') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );

all worked fine, i want make this anti hack too very very much. please help fix. error.

 

[porkmaster]

And how should I know what's around line 132 in your script?
Make a paste of lines 125-140 and we'll see where's the trouble.

 

[graywolf]

Here this lines: 125~132:
</td>
</tr>
</table>
</body>
</html>
<?php
**
?>

and i wanted to attach the script to see easier but seems its not working so i uploaded it here:

You must be registered to see links

reply asap, i am here online. tnx.

 

[porkmaster]

What I see in the script you've put above for download is:

<?php
**
?>

at the bottom of the file.
However, even if it's a "**" or "**", the last 3 lines should be removed because they don't seem to do anything at all but messing with your code, unless that script is somehow processed by another scrip with evals, which I don't think it's the case, so try removing the last 3 lines too and check out if it works.

Edit: in here it appears as **, but apparently it's about a pair of curly braces.

 

[graywolf]

i deleted last 3 lines: left this
</div>
</TABLE>
</td>
</tr>
</table>
</body>
</html>


but appears same error! By the way, (Returning to the anti-sql injection script) how i understood it just logs the input string like ' ; Drop table Character or something like that, but not stops it, is there any way to stop the action too?, because it just logs the input in a file log_file_sql.log and redirrecting to the hack.htm as you see.. but the action is not stopping for example, i will type ' ; Drop table Character ---, i will be logged in the file like:
"29-12-2004 17:07:23 [\' ; drop table character---] from MY_IP"
Redirrected to the hack.htm and the action still will not be stopped >> Character table will be dropped from the database, is the way to stop the action too ? Sorry if too much questions but i really want to make antihack. Thank you for understanding me.

 

[porkmaster]

Here's your fixed file.