Jump to content
MakeWebGames

8 Lines to secure your site from known sql injections.


Haunted Dawg

Recommended Posts

Guest Anonymous

Re: 8 Lines to secure your site from known sql injections.

I think this topic should be rename "8 Lines to secure your site from 'some' known sql injections.".

Yes, it works, but only for certain areas.

Link to comment
Share on other sites

  • Replies 164
  • Created
  • Last Reply

Top Posters In This Topic

Guest Anonymous

Re: 8 Lines to secure your site from known sql injections.

 

Nyna the topic says:

8 Lines to secure your site from "known" sql inections.

Known injections:

# Markets

# Forum

There are plenty of other "known" injections.

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

 

Below is the code i use to secure all my sites against sql injections

Edit: Thanks for the observation killah

usage:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

what line do you add this under

Link to comment
Share on other sites

Guest Anonymous

Re: 8 Lines to secure your site from known sql injections.

 

ive een told that this is nto even a real security script its a lie

I can only assume this was in reference to a discussion on IRC which I post as matter of curiosity...

(This was from a public discussion on the #ce channel)

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

As I've pointed out - these lines DO protect SOME areas, but there are plenty of other known points of, shall we say, "interest" to anybody feeling a little frisky in relation to "playing" with other peoples sites.

Realizing that your code may be susceptible is the first step. Doing some basic research into the subject with your friendly Google is the second. Learning the relevant skills necessary to block these attacks is the next. And no, they are not complex - there is plenty of discussion material here and elsewhere specifically aimed at both the DBS/MCcodes platform(s) and other environments.

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

 

Nyna & Other's, the problem here is people post there blabaring bullshit before they read.

I did state on the second page it secures the forum, and the market's.

DID I EVEN SAY THIS WILL SECURE YOUR ENTIRE WEBSITE?!

In IRC, we did not say i secures your whole site, it was tylor who came back and was like "secured my site from sql injections now"

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

 

wouldn't it be easier to make a function to secure all sql queries

 

In globals.php

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

Use as shown (Preferences - Name Change given as example)

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

or

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Above switch($_GET['action'])

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Secures $_POST if used properly (alphanumeric)

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

wouldn't something like:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

in header work (you would need something to check see if its alphabetical or numeric)

EDITED!

i did a little research im not sure if this would work but ill give it a go lol

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

Don't use this until someone with more experience posts if im right or wrong lol

More CTYPE:

ctype_alnum

ctype_alpha

ctype_cntrl

ctype_digit

ctype_space

ctype_xdigit

EDITED ONCE AGAIN

Due to unknown reasons this code has been said to not work i recommend not using it till more research on this is made.

by this code im talking about the code in this reply alone i am not commenting on other peoples.

Thanks for reading

Link to comment
Share on other sites

Re: 8 Lines to secure your site from known sql injections.

Catch alls that filter through the entire get and post are just ridiculous...

I have an even better idea, don't allow users to submit user input. Don't ever update or insert, or delete anything in the database. That should secure just about any site. Don't believe me? lol

Even better, take out this line:

mysql_connect($host, $user, $pass);

I guarantee you will never suffer a mysql injection again!

--------------------------------------------------------------------

 

Obviously I jest, but a point is illustrated here. Whilst those things will work, you give up certain functionality. Cycling through the entire get and post arrays and escaping all text is just way to overreaching. What if you want to have an email script? You'd be sending out email with slashes all over it... That's really smart!

What if you buy a mod from someone that actually took the time to secure their script the RIGHT WAY??

If you escape all get and post strings, their script will escape them again (unescaping them basically) and you're screwed. You'd be in luck with my scripts because I almost exclusively use the REQUEST array which I never see being escaped in these catch alls...

Those aren't the only reasons that those catch all's shouldn't be done, but maybe the biggest one is it shows two things. One of them is okay, and to be expected. The other, I think, people would want to avoid.

It shows: inexperience. Nothing wrong with that. We've all been inexperienced programmers.

It also shows: LAZINESS!! More specifically, being too lazy to do things properly.

 

That's IMHO. Feel free to be lazy and stuck on noob, I won't complain. ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...