requesting for an anti-sql injection script that can be used both on windows(php and mssql) and in linux (php and mysql).
using xampp.
i have been told that anti sql scripts are inserted in the file config.php since all php request pass thru config.php
but, how do i secure this config.php? i've been using different anti sql scripts but still the same, getting hacked thru sql injection.
database wipe out, sql server shutdown. i encountered both.
currently, this is the contents of my config.php(under windows)
Code:
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$time = date("l dS of F Y h:i:s A");
$script = $_SERVER[PATH_TRANSLATED];
$fp = fopen ("D:/RANSERVER/[WEB]SQL_Injection.txt", "a+");
$sql_inject_1 = array(";","'","%",'"'); #Whoth need replace
$sql_inject_2 = array("", "","","""); #To wont replace
$GET_KEY = array_keys($_GET); #array keys from $_GET
$POST_KEY = array_keys($_POST); #array keys from $_POST
$COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE
/*begin clear $_GET */
for($i=0;$i<count($GET_KEY);$i++)
{
$real_get[$i] = $_GET[$GET_KEY[$i]];
$_GET[$GET_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]]));
if($real_get[$i] != $_GET[$GET_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: GET\r\n");
fwrite ($fp, "Value: $real_get[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_GET */
/*begin clear $_POST */
for($i=0;$i<count($POST_KEY);$i++)
{
$real_post[$i] = $_POST[$POST_KEY[$i]];
$_POST[$POST_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_POST[$POST_KEY[$i]]));
if($real_post[$i] != $_POST[$POST_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: POST\r\n");
fwrite ($fp, "Value: $real_post[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_POST */
/*begin clear $_COOKIE */
for($i=0;$i<count($COOKIE_KEY);$i++)
{
$real_cookie[$i] = $_COOKIE[$COOKIE_KEY[$i]];
$_COOKIE[$COOKIE_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_COOKIE[$COOKIE_KEY[$i]]));
if($real_cookie[$i] != $_COOKIE[$COOKIE_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: COOKIE\r\n");
fwrite ($fp, "Value: $real_cookie[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_COOKIE */
fclose ($fp);
$CONFIG['servername'] = "MOdified"; //Web Name
$CONFIG['dbaddress'] = "Modified\SQLEXPRESS"; //DB IP
$CONFIG['dbuser'] = "*************"; //DB ID
$CONFIG['dbpass'] = "********************"; //DB PASS
$CONFIG['dbdbname'] = "RanUser";
$CONFIG['dbdbname1'] = "RanGame1";
$CONFIG['dbdbname2'] = "RanShop";
$CONFIG['registration'] = "1";
$CONFIG['maxaccounts'] = "0";
$CONFIG['maxemail'] = "1";
$CONFIG['email'] = "0";
$CONFIG['emailaddress'] = "";
$CONFIG['emailsmtp'] = "";
$CONFIG['emailuser'] = "";
$CONFIG['emailpass'] = "";
?>
others using this script also reported they're getting injected. same as mine, database wipeout, then sql server shutdown.
Need an improved anti sql injection script. or another way to avoid sql injection.
dBforums
>
[Request]Anti SQL Injection script
08-23-10, 23:22
Linear Mode
