Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2010
    Posts
    2

    Unanswered: [Request]Anti SQL Injection script

    requesting for an anti-sql injection script that can be used both on windows(php and mssql) and in linux (php and mysql).

    using xampp.

    i have been told that anti sql scripts are inserted in the file config.php since all php request pass thru config.php

    but, how do i secure this config.php? i've been using different anti sql scripts but still the same, getting hacked thru sql injection.

    database wipe out, sql server shutdown. i encountered both.

    currently, this is the contents of my config.php(under windows)

    Code:
    <?php
    
    $ip = $_SERVER['REMOTE_ADDR'];
    $time = date("l dS of F Y h:i:s A");
    $script = $_SERVER[PATH_TRANSLATED];
    $fp = fopen ("D:/RANSERVER/[WEB]SQL_Injection.txt", "a+");
    
    $sql_inject_1 = array(";","'","%",'"'); #Whoth need replace
    $sql_inject_2 = array("", "","","&quot;"); #To wont replace
    $GET_KEY = array_keys($_GET); #array keys from $_GET
    $POST_KEY = array_keys($_POST); #array keys from $_POST
    $COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE
    /*begin clear $_GET */
    for($i=0;$i<count($GET_KEY);$i++)
    {
    $real_get[$i] = $_GET[$GET_KEY[$i]];
    $_GET[$GET_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]]));
      if($real_get[$i] != $_GET[$GET_KEY[$i]])
      {
      fwrite ($fp, "IP: $ip\r\n");
      fwrite ($fp, "Method: GET\r\n");
      fwrite ($fp, "Value: $real_get[$i]\r\n");
      fwrite ($fp, "Script: $script\r\n");
      fwrite ($fp, "Time: $time\r\n");
      fwrite ($fp, "==================================\r\n");
      }
    }
    /*end clear $_GET */
    /*begin clear $_POST */
    for($i=0;$i<count($POST_KEY);$i++)
    {
    $real_post[$i] = $_POST[$POST_KEY[$i]];
    $_POST[$POST_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_POST[$POST_KEY[$i]]));
      if($real_post[$i] != $_POST[$POST_KEY[$i]])
      {
      fwrite ($fp, "IP: $ip\r\n");
      fwrite ($fp, "Method: POST\r\n");
      fwrite ($fp, "Value: $real_post[$i]\r\n");
      fwrite ($fp, "Script: $script\r\n");
      fwrite ($fp, "Time: $time\r\n");
      fwrite ($fp, "==================================\r\n");
      }
    }
    /*end clear $_POST */
    /*begin clear $_COOKIE */
    for($i=0;$i<count($COOKIE_KEY);$i++)
    {
    $real_cookie[$i] = $_COOKIE[$COOKIE_KEY[$i]];
    $_COOKIE[$COOKIE_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_COOKIE[$COOKIE_KEY[$i]]));
      if($real_cookie[$i] != $_COOKIE[$COOKIE_KEY[$i]])
      {
      fwrite ($fp, "IP: $ip\r\n");
      fwrite ($fp, "Method: COOKIE\r\n");
      fwrite ($fp, "Value: $real_cookie[$i]\r\n");
      fwrite ($fp, "Script: $script\r\n");
      fwrite ($fp, "Time: $time\r\n");
      fwrite ($fp, "==================================\r\n");
      }
    }
    
    /*end clear $_COOKIE */
    fclose ($fp);
    
    $CONFIG['servername'] = "MOdified";	//Web Name
    $CONFIG['dbaddress'] = "Modified\SQLEXPRESS";		//DB IP
    $CONFIG['dbuser'] = "*************";		//DB ID
    $CONFIG['dbpass'] = "********************";		//DB PASS
    $CONFIG['dbdbname'] = "RanUser";
    $CONFIG['dbdbname1'] = "RanGame1";
    $CONFIG['dbdbname2'] = "RanShop";
    $CONFIG['registration'] = "1";
    $CONFIG['maxaccounts'] = "0";
    $CONFIG['maxemail'] = "1";
    $CONFIG['email'] = "0";
    $CONFIG['emailaddress'] = "";
    $CONFIG['emailsmtp'] = "";
    $CONFIG['emailuser'] = "";
    $CONFIG['emailpass'] = "";
    ?>
    others using this script also reported they're getting injected. same as mine, database wipeout, then sql server shutdown.

    Need an improved anti sql injection script. or another way to avoid sql injection.

  2. #2
    Join Date
    May 2008
    Posts
    277
    I've never understood why this is always such a problem. You essentially have two options:

    1) You're expecting a string, in which case you must escape the input:

    PHP Code:
    $db mysqli_connect();
    $val mysqli_escape_string($db$_GET['val']);
    $sql "select * from my_table where some_column = '$val'"
    2) You're expecting a numeric value, in which case you must cast the input to the appropriate type:

    PHP Code:
    $val = (int)$_GET['val'];
    $sql "select * from my_table where some_column = $val"
    It's pretty trivial to write a function to make this a little easier (and if you're using prepared statements, a function already exists), but you must always, explicitly sanitize user input in your code. No "anti-injection" script will magically handle this for you.

  3. #3
    Join Date
    Aug 2010
    Posts
    2
    Thanks futurity.

    But, does mysqli_escape_string works with PHP + MSSql? I'm referring to mssql and not mysql. I don't know the equivalent function for that in ms sql.

  4. #4
    Join Date
    May 2008
    Posts
    277
    Sql server appears to offer parameterized queries. This pretty much eliminates the need for a dedicated escape function.

    PHP Code:
    $sql "select * from my_table where some_column = ?";
    $params = array($_GET['val']);

    $db sqlsrv_connect();
    $stmt sqlsrv_query($db$sql$params); 
    Last edited by futurity; 08-25-10 at 14:43.

  5. #5
    Join Date
    Nov 2010
    Posts
    25
    You may also use PDO (PHP: Introduction - Manual). It can be used with various DBMS and offers so called 'prepared statements'. With prepared statements you can be sure that no SQL injection will occur.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •