Lavalair Sql Injection Blocker

You should have magic quotes turned on in your php.ini file if you don't already:

magic_quotes_gpc = On

This will prevent a lot of problems.

And avoid using $_REQUEST or $_POST directly in your code. It's better to create a function to retrieve a value. Then you know that if that function is written properly there is no chance of injections happening anywhere within the site. It's also good if you need to change the way the retrievals work, you don't have to change it everywhere in your code.

e.g.

1. validate all the input fields.
2. use this function, mysql_real_escape_string . PHP team made it only to prevent sql injections. The function containg 24 characters may protect your valuable DB!!

where can i find php.ini?

when i use mysql_real_escape_string on my site i get errors...

$uid=mysql_real_escape_string( $_GET["uid"] );

Try not to Register globals on either because if you do:

$uid=mysql_real_escape_string( $_GET["uid"] );

wont stop hackers from POSTing sql into your script instead

eg:

<form method="post" action="http://yoursite.com/web/genproc.php?action=profile&sid=c37c0f63cb584676b95 99191ffa91256">
<input name="uid"/>
<input type="Submit" value="Go" Name="Submit"/>
</form>

(because you have got globals on information can be collected either by GET or POST)
hence why turning globals on is dodgy...... might be a quick fix to solve all your problems in 1 hit.
but can give you 1 hell of a headache at a later date

also same reason why try to avoid using $uid = $_REQUEST["uid"];

this is 1 code found ;)

magic_quotes = bad .. and im pretty sure subzero was the one commenting on one of my posts saying that it wont work in PHP6, how can u change ur stand point on PHP6 integrity coding on a per post basis ?

the answer to this is simple


1. do not rely on magic quotes
2. do not rely on register global
3. do not rely on global fixes.

By global fixes i mean the code above that mimics magic quotes when they are disabled. Treat EVERY variable independantly. And as for nost using POST's directly in queries, forget that. Yes you can using a POST in a query is the same as using a var. Except defining a new var takes up extra ram space during script execution. As long as you sanitise your variables you will be fine . for example

and
nothing is different, apart from the second uses more ram space (not enough to make a difference but it all adds up, plus it keeps files shorter and nicer to read IMO)

so how would we clean up that code , pretty simple is sanitisation. There are many ways to sanitise data. A large XSS fix i once used, checks an array for allowed POST's and GET's. in this example its not needed however if you had a larger possible list of allowed terms its a good method (so you maybe searching users for their martial status where it could around 5 different thing)

the array fix
this will only allow m and f to be passed as a gender, notice how i used the POSTed var in my error statement. Generally this is bad. If you do not need to use user submitted data for display then dont. The less you do this the less areas people have the chance to test out their new xss strings that may at some point break htmlentities or chars. The user knows what they posted, so why tell them that, in this case it would be more wise to just say "gender not found". i did it like that only as an example of how to sanitise user submitted data

Ok so the array fix isnt good for that example as we only accept two things. maybe we could
here we dont actually use the variable in our statement, so we fully control what the query does. If the gender requested is M then it uses that, anything else it uses F.. we dont need to worry about if they sumbit an invalid gender, you design the interface so normal members can only post M or F.. if they post anything else then who cares if they get a resultset they didnt ask for, there not interested in it anyway

ok so thats 2 ways to santise data in the respects that we only allow what we want. but wat if we want to use submitted data that could be anything such as a avatar or profile message. heres one way

note: i have added an esacpe function i always use, it auto adds our quotes to the data to save us time and escapes it, plus its shorter to type which is always good

So here we have 2 posted vars, the first we simply sqlesc() it so none of the characters can break the statement, depending on your style of programming you may want to add more checks, but that is all u really need, anything else can be done on display which is what i usually do. u also have the uid to update, notice we 0+ it , you could also use (int) .. up to you. both typecast the var to a integer, we only need integers so typecast it. if there is letters in there that are intended to break the query then the int will be 0 and usually u have no user of id 0 and no users will be found/updated.

There is also one simple security trick here that many over look. thats the limit. If you only want to update one row then tell it so, first it increases speed as it wont look for other rows to update after the first, secondly any malicious code that does magically make itself through will only work on one account, stopping it being spawned to other accounts, so a delete command maliciously inserted wont work as wll as the attacker had hoped.

Now i kno the limit isnt be all end all for security. but in a limited number of situations it will help. We can all think of attacks that this wouldnt be any good for but if u have half a brain u can think of at least one attack string it would perform some help to avoid global spawning attacks. and even if it only helps protect against 1 in 100 attacks.. is it not worth those extra few characters ???

ok so i think thats enough info, just remember 1 basic rule... SANTISE DATA. as long as you sanitise data on input and output you will usually be fine. the very basic of this means, sql escape on input and htmlspecialchars on output

if you have a small example of insecure code which u would like an example on how to secure then post it along with what it does and i'll see if i can help you understand how to secure stuff.

-----------------------

Edit:

the get function subzero posted isnt too bad tbh. personally i dont like using functions, i learnt my PHP from some of the best in the business and i guess my coding style derives from theres. Maybe functions arent any different, but when i think about using such things i think to myself why dont they use it.. and it makes me stray away. One way that get could be imporved while still using request gloabls is like this

note:
$t = 1 (string)
$t = 2 (int)
$t = 3 (Boolean)

so what this does is take the requested variable and typecasts it, if its a string then it just passes it back, if its an int , it typecasts it to an into, and if its a bool it typecats it setting the return value as either bool(true) or bool(false)

this isnt once again be all end all of security, u will still need to atleast sanitise the string data on return, maybe use it as sqlesc(getVar("gender"));

but using inline sanitisation imo is always better in the long run, plus u get used to sanitising data if u have to keep doing it and you will learn much quicker on better methods, rather than having to keep asking about it

yes i did...

Also my way you dont need both

magic quotes
register global
global fixes

Also djlee will work fine

subzero script chat is better then lavalair I think...

You cant put/sql or get user sid or get there info my members are safe

also it all done with function

lol

to protect your file share folders from php pages being uploaded make a htaccess page and put in it the following

when a php page is uploaded in that directory and the hacker goes to open it they end up with a nice 403 error page not found even though their script to hack may be there lol thanks to gum for that lil trick

i use

for data posted to mysql or to a string that way when data is called it wont be passed for special characters again as this would cause probs lol

or how about: