Jump to content
MakeWebGames

8 Lines to secure your site from known sql injections.


Haunted Dawg
 Share

Recommended Posts

  • Replies 164
  • Created
  • Last Reply

Top Posters In This Topic

Re: 8 Lines to secure your site from known sql injections.

Well this is nice kyle give you 10/10 what this prevents is the injections of exploiting the forums so far i only noticed one line of code to do it

but that is still testing with new types of injections..

By exploiting the forums you can query the database to send you any information you want by a simple union all select from 'tablename' with a few extra features i leave out for security purpose's....

what this actually does is help you out by not having to go through the whole forums clearing out every get request with $_GET['ID'] = abs((int) $_GET['ID']); which i tell you is a long task...

this form is quite nice though and i suggest more people use it or something similar it isn't going to prevent all injections i know of but will slow it down :)

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

@ the hacker07: i keep posting new ways & better ways to secure your site from known sql injections. I posted the

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

, and not to mention by finding new sql injections using that way you will end up having lets say 15 lines. It will take longer to load. I there for use this method from now on since it is quicker & easier.

@ dementor: It's really not my fault you dont know how to add it. Hell why did u put it in forums? and atleast the sql exploiters wont be able to get the information they required.

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

If you dont understand the mechanics of this then you probably shouldn't have a MC game cause it is going to get hacked...

basically he is creating an array to check the get variables that should be intergers and make them integers if not.

problem with this general use in the header is that if you reuse variable names and pass a string in a get variable you are screwed.

I prefer to check variables on a page by page basis, its a bit more work but it avoids unintended consequences.

Also you need to check variables that aren't just gets, since posts can be activated by XSS as well as check strings. You can still inject the stock v2 forums even if you (int) check the topic id

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

 

Yh most probly no wonder use this then:

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

And you say you coded most of the forums your self, you should put the $_GET['']'s into the array.

I really don't see the point in this... Your just making the code more complicated then it needs to be.

Your orignal code was better, this is just longer code and will take more time to execute...

Looping isn't really required for this...

Something like:

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Would work just as well

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...