Newbie Posted October 12, 2011 Share Posted October 12, 2011 my freind was getting a error on his game when every he does a crime or gym havnt checked out what else it does it on but anyways he gets this error Deprecated: Function sql_regcase() is deprecated in /home/mymafia/public_html/globals.php on line 38 i dont know anything about security but the error is coming from this function anti_inject($campo) { foreach($campo as $key => $val) { //remove words that contains syntax sql $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val); //Remove empty spaces $val = trim($val); //Removes tags html/php $val = strip_tags($val); //Add inverted bars to a string $val = addslashes($val); // store it back into the array $campo[$key] = $val; } return $campo; //Returns the the var clean } $_GET = anti_inject($_GET); $_POST = anti_inject($_POST); EDIT: sorry error comes from this line $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val); the error goes away once u refresh page Quote Link to comment Share on other sites More sharing options...
Djkanna Posted October 12, 2011 Share Posted October 12, 2011 Replace with the following which should then work: $val = preg_replace("`(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)`i","",$val); As much as I hate pre-made functions like this as they lack the ability to be spot on with type checking etc, each to their own, I guess. And no, I do not care to explain my thoughts on it, before anyone asks. From what I can tell, (my knowledge of regular expressions or lack of) that would only capture for example: `select` but not `select from`. The original was pretty much a silly way of going about it, considering it would have removed those words from every input passed through the function, those poor players not being able to use the word 'where' within their messages. Quote Link to comment Share on other sites More sharing options...
H4x0r666 Posted October 12, 2011 Share Posted October 12, 2011 i think i had a similar problem a couple months/weeks back , if the above answer doesnt work, try searching your answer in this thread? http://makewebgames.io/showthread.php/40262-Ereg-deprecated-in-email-verification/page2?highlight=preg Quote Link to comment Share on other sites More sharing options...
Neon Posted October 12, 2011 Share Posted October 12, 2011 The original was pretty much a silly way of going about it, considering it would have removed those words from every input passed through the function, those poor players not being able to use the word 'where' within their messages. This is just a poor regex statement in general. Any poor player using any of those words, actually just one, will have it replaced to a blank char. The | in between the words means OR, so if there is no "from" in their input, it will check for "select" etc. Once it finds one, I believe the | skips the rest until the end. So I could type "Hello from Brazil, DELETE * FROM members;" It would replace from with "" and become, "Hello Brazil, DELETE * FROM members;". Once I get to work I have some handy regex application on my computer. I'll go ahead and create one for you. My memorization isn't good enough, but I think it involves asterisks and brackets. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted October 12, 2011 Share Posted October 12, 2011 but why not simply do the things correctly instead of trying to find some odd work around? Use the mysql_real_escape (or whatever is called) for strings, ensure numbers are numbers or yet better use the MySQLi library and pass the value as parameter of your statement. Sorry but taking those "fix all" way simply don't work. BTW even if you fix your SQL, you still leave open the door to possible HTML / JS injections as well as not controlling what the player input like "buy -100 guns" where actually the player will be credited credits for something he/she doesn't own. So again, NO SHORTCUTS, text all user inputs being from cookies, GET or POST. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted October 12, 2011 Share Posted October 12, 2011 [...] Once I get to work I have some handy regex application on my computer. I'll go ahead and create one for you. My memorization isn't good enough, but I think it involves asterisks and brackets. I tend to use RegExr for testing/writing regular expressions, it makes my life much easier. :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.