jimmytubbs Posted May 17, 2008 Posted May 17, 2008 Hi i think this would help some other people as well can some actually post a Mysql injection protection from hackers that actually works please cheers jimmytubbs Quote
Guest Anonymous Posted May 17, 2008 Posted May 17, 2008 Re: Mysql injection that actually works [me=Nyna]sighs[/me] This has been discussed time and time again - Use the search facility, and read the PHP FAQs. and see mysql_real_escape_string() Quote
-Matt- Posted May 17, 2008 Posted May 17, 2008 Re: Mysql injection that actually works http://criminalexistence.com/ceforums/i ... ;topicseen http://criminalexistence.com/ceforums/i ... ic=18874.0 http://criminalexistence.com/ceforums/i ... pic=8462.0 http://criminalexistence.com/ceforums/i ... ic=18482.0 These should help to stop cheaters in different ways. Quote
Ragnar Posted May 20, 2008 Posted May 20, 2008 Re: Mysql injection that actually works $_GET['ID'] = abs((int) $_GET['ID']); for markets. $_GET['viewforum'] = abs(@intval($_GET['viewforum'])); $_GET['viewtopic'] = abs(@intval($_GET['viewtopic'])); for forums.php. Quote
riderdaz Posted May 26, 2008 Posted May 26, 2008 Re: Mysql injection that actually works The thing what a lot of people don't get is the forum inst the only place for a hacker they can obtain your password and user name from near enough any input so just putting a few lines in header isn't going to protect your whole game you need to go through pretty much all of it, would like to to you how to do this but I'm not 100% sure on sql protection Quote
Joel Posted May 30, 2008 Posted May 30, 2008 Re: Mysql injection that actually works <? function stripslashes_gpc( &$var ){ while( list( $key, $value ) = each( $var ) ){ if( is_array( $var[$key] ) ){ stripslashes_gpc( $var[$key] ); } else { $var[$key] = stripslashes( $value ); } } reset( $var ); } if( count( $_GET ) > 0 ){stripslashes_gpc( $_GET ); } if( count( $_POST ) > 0 ){stripslashes_gpc( $_POST ); } if( count( $_COOKIE ) > 0 ){stripslashes_gpc( $_COOKIE ); } ?> Not sure if it works, But a friend told me, Im not very good at SQL Protecting :/ Quote
topmorpg Posted May 30, 2008 Posted May 30, 2008 Re: Mysql injection that actually works Lets put it this way Any variable text or numerical can be abused. The script is well known. If you have a variable <?php $x ?> All i have to do in the injection point is maybe feed it over the url as <?php page.php?x=9999999 ?> Simple to fix. verify data. How about form data? Check it before updating that its valid. Some plugins allow you to change html properties and data before a form is submitted. Example. <?php <input type="hidden" name="school" value="1"> ?> Hell it really isn't hidden at all. I can change it to 9000000 if I wanted to and submit it. But are you verifying that its valid? There is more to things then the eye lets you see . Google is your friend and we are here to help point you in the right direction. Giving code away is not what I and most others will not do. However pointing you in the direction to learn and how to better secure things we will. If you have tried and tried and just cant get it. paste your code we will run it over in our spare time and respond back if we are not to busy. But note we wont debug an entire script for you. TJ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.