mysql attack, prevention

sunnydiv · Mar 11, 2005

i made this following code, to hope it will protect from mysql injection
tell me if u find a bug or something

function remove_bad($value)
{
$value = addslashes($value);
$value = strip_tags($value);

echo ereg_replace("select", "nselectn", $value);
echo ereg_replace("delete", "ndeleten", $value);
echo ereg_replace("drop", "ndropn", $value);
echo ereg_replace("update", "nupdaten", $value);
echo ereg_replace("where", "nwheren", $value);

return $value;
}

reverse. hopefully you know, how this is going to work

function add_bad($value)
{
echo ereg_replace("nselectn", "select", $value);
echo ereg_replace("ndeleten", "delete", $value);
echo ereg_replace("ndropn", "drop", $value);
echo ereg_replace("nupdaten", "update", $value);
echo ereg_replace("nwheren", "where", $value);
$value = stripslashes($value);

return $value;
}

source, mysite *www.rokda.info/forum/sutra14.html#14

h4xbox · Mar 11, 2005

Are u sure you made the code by yourself ??
I think i saw it in packetstorm

sunnydiv · Mar 11, 2005

what dude

lame

i made it dude, there is nothing in it

i doubt they used the same technique

there r many many combinations one can use

h4xbox · Mar 12, 2005

I dunno anything abt hacking / scripts

... You are genius :twisted:

ngcoders · Mar 12, 2005

hmm

Try this

I made this as someone had reported XSS vurnebilities in my S/w . This will strip everything and will not also allow incorrect entries though the forms ( more of a quick fix ) . Youll have to decode appropiately while displaying .

Code:

<?php
/*This will strip html from every variable unless it contains the word text ( introtext ) */
/* also this will conver all ' and " into text due to problems with sqlite and others */

function dbencode($str)
	{
	$str = addslashes($str);
	$str = str_replace(array("\r","\n","\\","'","\""),array("[CR]","[NL]","[ES]","[SQ]","[DQ]"), $str);
	return $str;
	}
	
function dbdecode($str)
	{
	$str = str_replace(array("[CR]","[NL]","[ES]","[SQ]","[DQ]"),array("\r","\n","\\","'","\""), $str);
	return stripslashes($str);
	}
	
function check_var($var,$val)
{
if(!defined( "_VALID_LM_ADMIN") && !strstr($var,'text'))
{
$val=utf8_decode($val);
$val=strip_tags($val);
}
if(is_array($val))return $val;
return dbencode($val);
}

foreach($_POST as $postvar => $postval){ ${$postvar} = check_var($postvar,$postval); }
foreach($_GET as $getvar => $getval){ ${$getvar} = check_var($getvar,$getval); }

?>

mysql attack, prevention

sunnydiv

Guest

h4xbox

Journeyman

sunnydiv

Guest

h4xbox

Journeyman

ngcoders

Broken In