Jump to content
MakeWebGames

Simple SQL Injection protection


_ReapeR_

Recommended Posts

Guest Anonymous

Re: Simple SQL Injection protection

Oh dear...

 

Advice to all -- DO NOT USE THIS -- It is far to simple to bypass. I won't tell you how for obvious reasons, (Killah PM me if you want to know why).

Link to comment
Share on other sites

Re: Simple SQL Injection protection

Might want to fix that, for the copy and pasters here.

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Suppose to be

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Simple things can make people go mad. :-)

Link to comment
Share on other sites

Re: Simple SQL Injection protection

 

Might want to fix that, for the copy and pasters here.

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Suppose to be

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Simple things can make people go mad. :-)

Funny how you say copy & pasters, please go look at my last post's you'll notice i dont copy & paste.

Link to comment
Share on other sites

Re: Simple SQL Injection protection

No, I wasn't calling you a copy and paster. I was referring to those who say,"Oh, cool, a new code." They copy and paste it without looking over it to see what it does, what it contains, and why it does what it does. So, sorry if you felt I was talking about you when I said copy and pasters.

Link to comment
Share on other sites

Guest Anonymous

Re: Simple SQL Injection protection

Seems I should have suggest that _ReapeR_ get in touch...

Again - DO NOT USE THIS - it has MAJOR vulnerabilities

Link to comment
Share on other sites

Re: Simple SQL Injection protection

Man, so accusatory with these "mods". Anything with 'select' in the url != intrusion attempt. It's not going to be very friendly if you wind up going to a profile, say, user.php?name=selectMan, and being labelled a hacker. But sure

Link to comment
Share on other sites

Re: Simple SQL Injection protection

*makes buzzer sound* Actually, Nyna isn't "always" right (as she will most likely confirm) - but she does have 30+ years of experience behind her and knows what she is doing :)

 

I Cant See Any But Ill Take Naynas Advice as Shes Better Den Us!, And Always Right :-)

Link to comment
Share on other sites

Re: Simple SQL Injection protection

Is killah's code safe? If not, can you post one that is, if it is possible to make one that's better than the simple market codes...

if(isset($_GET['ID']) AND eregi("[^0-9]", $_GET['ID'])) {

echo "Invalid Request";

and

$_GET['ID'] = abs((int) $_GET['ID']);

Link to comment
Share on other sites

Re: Simple SQL Injection protection

If you add this

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

correctly it should stop the market injections.

For forums:

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

If you add those properly it should stop all url injections. Not sayint it will stop XSS ETC but majority PHP.

It wont stop all post injections either. But that could do the trick on securing your game for time bieng.

Link to comment
Share on other sites

Re: Simple SQL Injection protection

Well, I would take Nyna's advice on this, she has taught me a bit on safety of my site e.g. form inputs and cleaning incoming data.

Just thought I would tell you all.

Nyna don't say -DON'T USE THIS- for nothing :wink:

Link to comment
Share on other sites

Re: Simple SQL Injection protection

If any ones still worried about SQL injections after adding

$_GET['ID'] = abs((int) $_GET['ID']);

if you have price caps on the markets, you can easily have it automatically delete listings over the price cap. For example on the Crystal Market with a $1,000 price cap...

ALTER TABLE `crystalmarket` ADD `cmEACH` bigint(25) NOT NULL default 0;

Replace

global $db,$ir,$c,$userid,$h;

with

global $db,$ir,$c,$userid,$h;

$db->query("DELETE FROM crystalmarket WHERE cmEACH > 1000");

Replace

$db->query("INSERT INTO crystalmarket VALUES('',{$_POST['amnt']},$userid,$tp)");

with

$db->query("INSERT INTO crystalmarket VALUES('',{$_POST['amnt']},$userid,$tp,{$_POST['price']})");

Link to comment
Share on other sites

Re: Simple SQL Injection protection

 

Ragnar you are totaly off...i just woke up

Read the post while awake!!! :-D I wasn't posting a price cap!

 

if you have price caps on the markets, you can easily have it automatically delete listings over the price cap. For example on the Crystal Market with a $1,000 price cap...

I was posting a way to delete listings over a price cap if there is already a price cap! That code works just find with deleting listings over the price cap!

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...