stryker Posted May 16, 2007 Share Posted May 16, 2007 put this $_POST['urpostinfo']=str_replace('\\\'',''', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('refresh','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('meta','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('redirect','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('html','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('query','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('UPDATE','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('SET','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('style','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('img','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('dynsrc','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('bg','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('background','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('.','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('title','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('embed','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('printf','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('xxs','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('script','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('javascript','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('body','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('onload','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('load','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('div','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('frame','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('FRAME SRC','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('md5','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('FRAMESET','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('db','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace('query','', $_POST['urpostinfo']); $_POST['urpostinfo']=str_replace(array("<", ">", "\\\'"), array("<", ">", "'"), $_POST['urpostinfo']); $post=str_replace(array("<",">","'"),array("<",">","''"),$_POST['urpostinfo']); before your post statments and after your get statements, you only need this where there is an area to type into. Quote Link to comment Share on other sites More sharing options...
stryker Posted May 16, 2007 Author Share Posted May 16, 2007 Re: A way to protect against sql injection not taking credit...just sharing. might be helpful to those whom have no clue, i sure as hell ain't sharing mine last thing i need is my sql injection preventer posted on every warez and security board online... Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted May 16, 2007 Share Posted May 16, 2007 Re: A way to protect against sql injection That has NOTHING to do with SQL injection... it takes about a line or two to protect against it Quote Link to comment Share on other sites More sharing options...
oxidati0n Posted May 16, 2007 Share Posted May 16, 2007 Re: A way to protect against sql injection Yup that has nothing to do with it... BTW it would save you lots of time if you just did array(); or $r="table name"; $_POST[$r]=str_replace(blahblah); to save people time from editing. Functions tend to save more time and easier to make more edits to. But by the way...It's nothing to do with SQL Injections.. I don't see anything to do with DB there lol. Quote Link to comment Share on other sites More sharing options...
stryker Posted May 17, 2007 Author Share Posted May 17, 2007 Re: A way to protect against sql injection actually if you would look close you would see that yes it is, it blocks ppl from using the text fields to enter whatever they want. thus exploiting the system, sql injection is not only done through the address bar. Quote Link to comment Share on other sites More sharing options...
Aqua Posted May 18, 2007 Share Posted May 18, 2007 Re: A way to protect against sql injection But this doesnt fix the problem , it will still be exploitable... :| Quote Link to comment Share on other sites More sharing options...
stryker Posted May 19, 2007 Author Share Posted May 19, 2007 Re: A way to protect against sql injection yeah i know but it does stop the common minded cheaters Quote Link to comment Share on other sites More sharing options...
Z?v?? Posted May 19, 2007 Share Posted May 19, 2007 Re: A way to protect against sql injection What are the 2-3 lines of code that will stop exploitable injections and where do the lines need placed into the code? Quote Link to comment Share on other sites More sharing options...
stryker Posted May 19, 2007 Author Share Posted May 19, 2007 Re: A way to protect against sql injection actually they need to be placed where every get and post is Quote Link to comment Share on other sites More sharing options...
Aqua Posted May 19, 2007 Share Posted May 19, 2007 Re: A way to protect against sql injection yeah i know but it does stop the common minded cheaters I see.... But there is ways to get your game 99.99% protected of SQL injections ... Quote Link to comment Share on other sites More sharing options...
stryker Posted May 20, 2007 Author Share Posted May 20, 2007 Re: A way to protect against sql injection yeah and the easiest way to do it you have to have magic quotes turned off here is a resource i use on my engine http://www.phpinsider.com/php/code/SafeSQL/ Quote Link to comment Share on other sites More sharing options...
stryker Posted May 22, 2007 Author Share Posted May 22, 2007 Re: A way to protect against sql injection actually magic quotes should be off, it says is mccode that it needs to be on thats a bunch of bull. here is what i use on my game /*+++++++++++++++++++++++++++++++++++++*/ /* Mod Start */ /*Mod By Twysted of Dynamic-Designz.com*/ /*+++++++++++++++++++++++++++++++++++++*/ //check if incomingData is not empty and of the expected length function checkIncomingData($idata, $minsize, $maxsize) { if ( strlen($idata)<$minsize or strlen($idata)>$maxsize ) { return false; } else { return true; } } //make sure that nothing bad can be entered by the user (-->sql injection attack) function cleanIncomingData($idata) { $cleaned = trim($idata); $cleaned = mysql_real_escape_string($cleaned); return $cleaned; } /*+++++++++++++++++++++++++++++++++++++*/ /* Mod Ended */ /*Mod By Twysted of Dynamic-Designz.com*/ /*+++++++++++++++++++++++++++++++++++++*/ Quote Link to comment Share on other sites More sharing options...
monbster Posted May 22, 2007 Share Posted May 22, 2007 Re: A way to protect against sql injection Can anyone explain what the difference is with / without magic quotes? Also the function posted by stryker looks good, I use something similar except try to escape the quotes using addslashes() on the inputs. Quote Link to comment Share on other sites More sharing options...
stryker Posted May 22, 2007 Author Share Posted May 22, 2007 Re: A way to protect against sql injection maybe so, but when it is off it is a lot easier to write the functions needed to block the exploits Quote Link to comment Share on other sites More sharing options...
stryker Posted May 23, 2007 Author Share Posted May 23, 2007 Re: A way to protect against sql injection xsishost.com Quote Link to comment Share on other sites More sharing options...
Jake Posted May 25, 2007 Share Posted May 25, 2007 Re: A way to protect against sql injection So can anyone post their Anti SQL code that they use, instead of just bragging about it. I have never even thought about it until recently my game began suffering from these types of attacks, and i cannot protect against it, as i cannot find a code that will prevent against it. Quote Link to comment Share on other sites More sharing options...
monbster Posted May 30, 2007 Share Posted May 30, 2007 Re: A way to protect against sql injection So can anyone post their Anti SQL code that they use, instead of just bragging about it. I have never even thought about it until recently my game began suffering from these types of attacks, and i cannot protect against it, as i cannot find a code that will prevent against it. Why don't you scroll up a bit in the topic and see that someone already posted a code example, also as mentioned you can simply use addslashes() when you get the inputs, just do something like $inputWhateva = addslashes($_GET['fieldname']); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.