Anti-MySQL Injection function

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #16
    Man.. No Need to Update each and every single POST or GET method

    All you can do this and Prevent Injecting via .htcaccess there you can add the queary string as :


    union|select|insert|cast|set|declare|drop|update|m d5|benchmark

    Comment

      #17
      Originally posted by BioBeo View Post
      Man.. No Need to Update each and every single POST or GET method

      All you can do this and Prevent Injecting via .htcaccess there you can add the queary string as :


      union|select|insert|cast|set|declare|drop|update|m d5|benchmark
      PHP Code:
      if(isset($_REQUEST)){foreach($_REQUEST as $key=>$value){$_REQUEST[$key]=mysql_real_escape_string(htmlspecialchars($value));}} 
      Last edited by something else; 14.08.10, 12:17.

      Comment

        #18
        try it

        function anti_sql_injection( $input ) {
        // daftarkan perintah-perintah SQL yang tidak boleh ada
        // dalam query dimana SQL Injection mungkin dilakukan
        $aforbidden = array (
        "insert", "select", "update", "delete", "truncate",
        "replace", "drop", "or", ";", "#", "–", "=" );

        // lakukan cek, input tidak mengandung perintah yang tidak boleh
        $breturn=true;
        foreach($aforbidden as $cforbidden) {
        if(strripos($input, $cforbidden)) {
        $breturn=false;
        break;
        }
        }
        return $breturn;
        }

        Comment

          #19
          i updated mine try that one and see if anyone can add there self owners lol
          Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
          Visit: WapMasterz Coming Back Soon!
          _______
          SCRIPTS FOR SALE BY SUBZERO
          Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
          FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
          _______
          Info & Tips
          php.net
          w3schools.com

          Comment

            #20
            Originally posted by riderz View Post
            SQL Injection is security failure of the most hacked sites...

            Here is Anti-MySQL Injection function:

            Code:
            function anti_injection($sql) {
   // removes words that contain sql syntax
   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
   $sql = trim($sql); // strip whitespace
   $sql = strip_tags($sql); // strip HTML and PHP tags
   $sql = addslashes($sql); // quote string with slashes
   return $sql;
}
            How to call the function:
            Code:
            <?php
$query = anti_injection($query);
?>
            ... or when you "post" the data:
            Code:
            <?php
$query = anti_injection($_POST['something']);
?>
            or another one i found

            if the topic was [HOW TO] Anti-SQL Injection Function I might have said that it did not depend on any given db, and there is a use for that, especially if you have SQL compliant functions for flat file, that said lets see what we can do to produce an anti-injection function the allows posting of (legal) SQL code in posts, and works irrelevant of SQL interface..

            .. after a bit of research I have the following, which covers all eventualities
            Code:
            <?php

function anti_injection($sql,$debug=false) {
  if($sql=='') return;

  $single = false;   # do single quotes translation
  $double = false;   # do double quotes translation

//  $sql = trim($sql); # strip whitespace *(what if the first line is space indented? ie ascii art)
//  if (get_magic_quotes_gpc()) $sql = stripslashes($sql); # if you have problems with slashes
  $sql = htmlspecialchars($sql); # for < and >, &, single and double quote characters

  if(substr_count($sql,"'")==0) $single = false; else $single = true;
  if(substr_count($sql,'"')==0) $double = false; else $double = true;

  if($single) $sql = str_replace("'", '& #039;', $sql);  # for single quote characters
  if($double) $sql = str_replace('"', '&quote;', $sql); # for dpuble quote characters

  return $sql;
}


?>
            the echo's are just for testing (eg: $safe_sql = anti_injection($data_to_be_sanitized,true);) , as these may be set differently on your PHP installation (not 110mb)

            (NOTE: when copying either of these PHP quoted code functions, change "& #039;" to read "&#039;" - minus space, its a quirk of the PHP code hiliter, it outputs "&#039;" as "&#038;#039;")

            that said, for pure speed I would use the following (less the comments)
            Code:
            <?php
function anti_injection($sql) {
  $sql = htmlspecialchars($sql); # for < and >, &, single and double quote characters
  $sql = str_replace("'", '& #039;', $sql);  # for single quote characters (just in case)
  $sql = str_replace('"', '&quote;', $sql); # for dpuble quote characters (just in case)

  return $sql;
}
?>
            or as antimatter might prefer
            Code:
            function sql_ai($sql){return str_replace('"','&quote;',str_replace("'", '&#039;',htmlspecialchars($sql)));}
            wer i guna put dis code? In the core?


            http://www.toinx.org

            Comment

              #21
              yeah put them in core well you can put them on other places but better off in core so they are available on every page

              Comment

              Previous 1 2 template Next
              Working...
              X