Basic SQL Injection Protection

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Basic SQL Injection Protection

    This class can cleanup harmful text from request parameters.

    It can check a given parameter value of $_GET, $_POST or $_REQUEST super-global variables and remove certain types of text values that are usually used to perform SQL injection attacks.
    Attached Files
    ________________
    Jacques
    jacques@gw-designs.co.za
    http://coding.biz.tm
    Come join and lets make it a place to learn all the noobies how to code
    __________________

    NEVER FORGET TO CLICK THE TANX BUTTON IF U LIKE WHAT IM SHARING OR HELPING WITH
    Tags: None
    #2
    Some of your compressed files cant be exctract.
    I use 7zip and also I do extract in my host.
    Im windows 7 user.
    Did I help you?
    You can help me too
    Your donations will help me finance my studies.

    Comment

      #3
      I am using Linux Mint 11 and tar.gz files are really helpfull. :-D
      They are also low sized than a zip file.

      Comment

        #4
        Originally posted by ReazulIqbal View Post
        I am using Linux Mint 11 and tar.gz files are really helpfull. :-D
        They are also low sized than a zip file.
        low sized my ass...
        compressing anything to *.tar.gz doesnt really mean
        it'll be smaller archive by size than *.rar or *.zip
        it's all about what kind a file/data you compressing
        simple as that !
        It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
        ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
        ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
        キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

        Comment

          #5
          May be. But i always get low size than a zip file. I tested with audio, wordpress, and many softwares.

          Comment

            #6
            ornek.php
            Code:
            <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>Untitled Document</title> 
</head> 

<body> 
<? 

// Copyright 2011-~ Muammer TURKMEN 
include_once("sqlkoruma.php"); 
$deneme1=new sqlinj; 
$deneme1->ekleme("into");    // add custom words to list. 

echo $deneme1->basla("get","veri")."<br><br>"; // only $_REQUEST["veri"] protect 
echo stripslashes($deneme1->basla("get","veri")."<br><br>"); // stripslashes cleaning \ chars 

echo $deneme1->basla("'''' select * from urunler where, insert into --update urunler")."<br><br>";  // clear custom text. 
echo stripslashes($deneme1->basla("'''' \" \" select * from urunler where, insert into --update urunler")); 
// AIO 
$deneme1->basla("aio","all"); // aio -> $_REQUEST,$_GET,$_POST protect all types --- all -> all variables 
echo "<br><br>".$_GET["veri"]."===".stripslashes($_GET["veri"])."<br><br>"; 
echo "<br><br>".$_GET["veri2"]."===".stripslashes($_GET["veri2"])."<br><br>"; 
print_r($_GET)."<br>"; 
print_r($_REQUEST); 

?> 
</body> 
</html>
            sqlkoruma.php
            Code:
            <? 
// Copyright 2011-~ Muammer TURKMEN 
class sqlinj{ 
    private $gerideger; 
    private $islet; 
    public $liste=array("=","\'","\"","*","\-","declare","char","set","cast","convert","drop","exec","meta","script","select","truncate","insert","delete","union","update","create","where","join","information_schema","table_schema","into"); 
    public function basla($veri,$tur="normal"){ 
        if($tur=="normal"){ 
            return self::normal($veri); 
        }elseif($tur=="all"){ 
            return self::tumsorgular($veri); 
        }else{ 
            return self::req($tur,$veri); 
        } 
    } 
    private function normal($deger){ 
        foreach($this->liste as $bul){ 
            $deger=str_replace($bul,'\\'.$bul.'\\',$deger); 
             
        } 
        return $deger; 
    } 
    private function tumsorgular($yapilacak){ 
            switch ($yapilacak){ 
            case "post": 
            $this->islet=array("POST"); 
            break; 
            case "get": 
            $this->islet=array("GET"); 
            break; 
            case "request": 
            $this->islet=array("REQUEST"); 
            break; 
            case "aio": 
            $this->islet=array("POST","GET","REQUEST"); 
            break; 
        }     
        foreach($this->islet as $islem){ 
        eval('foreach($_'.$islem.' as $ad=>$deger){ 
            $_'.$islem.'[$ad]=$deger; 
            foreach($this->liste as $bul){ 
            $_'.$islem.'[$ad]=str_replace($bul,"\\\".$bul."\\\",$_'.$islem.'[$ad]); 
            } 
        } 
         
             
return $_'.$islem.'; 
'); 
        } 
    } 
    private function req($deger,$method){ 
        switch ($method){ 
            case "post": 
            $this->islet=$_POST[$deger]; 
            break; 
            case "get": 
            $this->islet=$_GET[$deger]; 
            break; 
            case "request": 
            $this->islet=$_REQUEST[$deger]; 
            break; 
        }     
        foreach($this->liste as $bul){ 
            $this->islet=str_replace($bul,'\\'.$bul.'\\',$this->islet); 
             
        } 
        return $this->islet;     
    } 
    public function ekleme($eklenecek){ 
        $this->liste[]=$eklenecek; 
    }     
} 

?>
            ________________
            Jacques
            jacques@gw-designs.co.za
            http://coding.biz.tm
            Come join and lets make it a place to learn all the noobies how to code
            __________________

            NEVER FORGET TO CLICK THE TANX BUTTON IF U LIKE WHAT IM SHARING OR HELPING WITH

            Comment

              #7
              Its not simple and very complicated for me. Why dont you use addslashes(); ?

              Comment

                #8
                Originally posted by Jerson View Post
                Its not simple and very complicated for me. Why dont you use addslashes(); ?
                because mysql_real_escape_string is safer. Industry standards.

                Comment

                  #9
                  mysql_real_escape_string() will be removed on the next version of php...

                  Comment

                    #10
                    Originally posted by Jerson View Post
                    mysql_real_escape_string() will be removed on the next version of php...
                    maybe maybe not bt its stil considered safer. So using an escape wrapper function wud help alot incase as u say its removed.

                    Comment

                      #11
                      addslashes(); is equivalent to mysql real escape... Yah it doesnt matter whatever function it is. as long as it can filter inputs..

                      Comment

                        #12
                        addslashes or mysql_real_escape_string is not enough, filesize very big this package(original file size:2,6 kb and CRC:FFF6FFDA), ornek.php as sample, protection very basic add this lines;
                        include_once("sqlkoruma.php");
                        $deneme1=new sqlinj;
                        $deneme1->basla("aio","all");
                        aio => request,get,post
                        all => all values
                        Do not use addslashes to add record because slashes all text

                        added new version 3.1
                        Attached Files
                        Last edited by muammerturkmen; 07.07.11, 10:24.

                        Comment

                        Previous template Next
                        Working...
                        X