I have read many blogs about this topic, but it is still complicated. Now, if addslashes is exploitable, what function are we going to use to stop sqli attack. They say that if you put bf27 a multi-byte char the addslashes func will not addslashes into that input. Because addslashes can not read multi-bytes chars. What should i do now to stop sqli attack? Should i'm going to use mysql_real_escape_string() ? ?
-
It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do? -
yes use mysql_real_escape_string() unless the variable is not going into the database or you will cause i silent errorLast edited by something else; 15.02.12, 06:36. -
i can bypass mysql_real_escape_string() and addslashes too.
best way to protect from SQLi is install latest version of mod_security
only some Pros can bypass it.Comment
-
I just use this only. Don't know does it's work well or not. I'm just a newbie. Good luck. ereg_replace have some bug on several server. try replace it with others.PHP Code:$GET_KEY = array_keys($_GET);
$POST_KEY = array_keys($_POST);
$COOKIE_KEY = array_keys($_COOKIE);
$SERVER_KEY = array_keys($_SERVER);
$SESSION_KEY = array_keys($_SESSION);
for($i=0;$i<count($GET_KEY);$i++) {
$_GET[$GET_KEY[$i]] = clean($_GET[$GET_KEY[$i]]);
}
for($i=0;$i<count($POST_KEY);$i++) {
$_POST[$POST_KEY[$i]] = clean($_POST[$POST_KEY[$i]]);
}
for($i=0;$i<count($COOKIE_KEY);$i++) {
$_COOKIE[$COOKIE_KEY[$i]] = clean($_COOKIE[$COOKIE_KEY[$i]]);
}
for($i=0;$i<count($SERVER_KEY);$i++) {
$_SERVER[$SERVER_KEY[$i]] = clean($_SERVER[$SERVER_KEY[$i]]);
}
for($i=0;$i<count($SESSION_KEY);$i++) {
$_SESSION[$SESSION_KEY[$i]] = clean($_SESSION[$SESSION_KEY[$i]]);
}
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
$get = ereg_replace("[^0-9]", "", $_GET["get"]); <-- to get number only
$get = ereg_replace("[^a-zA-Z]", "", $_GET["get"]); <-- to get word only
sigpic
Visit my WEBSITE Project: http://www.aspirewap.netComment
-
Thankz 4 this code bro. . . I will going to study this code.
@string master, you mean, i will use htaccess? ?
@something else, thankz 4 that suggestion broIt's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?Comment
-
None of those, magic_quote_gpc() is DEPRECATED and addslashes() does same thing as get_magic_quotes_gpc() automaticly. Hex char is easy to filter and it just depends is in question GET or POST, GET is decoded automaticly while POST doesn't.Originally posted by analyzer View Post
I don't know simple answer on that question, you should use htaccess before (but sure not excluding) php and take care on per-case basis.
Its one hex char.Originally posted by StRiNg_MaStEr View PostLast edited by arnage; 15.02.12, 16:07.<!DOCTYPE html PUBLIC "-//WAPFORUM.RSComment
-
Thanks 4 that arnage.
can i ask something about sqli guys? When does a sqli works? Does it works only in GET and POST?
How about in this code
Is it possible to attack the $id using sqli or other attacks? Because the $id was not filtered, $id has the default value which is 1234. . Can a hacker change the value of $id?$id = 1234;
$vars = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM db_user WHERE id="'.$id.'""));It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?Comment
-
Yup. it's possible.Originally posted by analyzer View Postsigpic
Visit my WEBSITE Project: http://www.aspirewap.netComment
-
You are welcome. See this, its just one article from the net but you'll start to get a picture. ;)
<!DOCTYPE html PUBLIC "-//WAPFORUM.RSComment
-
Thankz 4 ur helps guys. . . I have now more ideas on how to secure my site better :DIt's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?Comment
-
can you also bypass thisOriginally posted by StRiNg_MaStEr View Post
???PHP Code:@$var = mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['var'])));
キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ â“â“¡â“” â“ⓑⓛⓔ ⓣⓞ â“—â“”â“â“¡ !
ιη тнєσÑу, тнє ÏÑα¢тι¢є ιѕ α Ñєѕυℓт σƒ тнє тнєσÑу, вυт ιη ÏÑα¢тι¢є ιѕ тнє σÏÏσѕιтє.Comment
-
@analyzer, use the mysql_real_escape_string don't mind the idiots above telling you they can bypass it. Read coding practices and type casting at PHP Security Consortium then always watch what goes into the db. If you wanna access an ID make sure its an integer!
$id = (int) $_GET['id'];
And always wrap sql statements in quotes,
Read more at the site above.PHP Code:$sql = "SELECT * FROM `users` WHERE `id`='{$id}'";
Comment
-
thankz for this br0. . But i have already a function which is more than the mysql_real_escape_string()Originally posted by CreativityKills View Post
ahm, what's the difference if i will not put quote in my sql statements br0? Like this ,
PHP Code:$sql = "SELECT * FROM users WHERE id='{$id}'";
It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?Comment
-
Don't kid urself, you can't possibly have a function better than that because php native functions are extensively tested in different dev and production instances and environments not to mention operating systems and server api's, and with each release the functions are fixed incase of discovered bugs, how many environs and setups have u tested urs. But suit urself
as long as ure comfortable with your codes fine. The difference is, its generally easier to inject sql written without quotes, example:
Added after 4 minutes:PHP Code:$username = 'admin';
$password = 'IDontKnowYourPasswordButNoMatter OR 1=1';
// This will login pretty nicely regardless of the password
$sql = "SELECT * FROM `users` WHERE username=$username AND password=$password";
// This won't
$sql = "SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}'";
Without quotes can execute the password entry as part of the query hence the user can modify ur query as s/he likes. With quotes, it doesn't because it treats whatever in quotes as STRING and therefore not part of the executing query, hope I explained well.Last edited by CreativityKills; 21.02.12, 06:35.Comment
-
Yeah, you explained it well bro, thankz 4 ur concern. . You helps me l0t. . =)It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?Comment
Comment