mysql attack, prevention

11-03-2005, 05:29 PM

i made this following code, to hope it will protect from mysql injection
tell me if u find a bug or something

function remove_bad($value)
{
$value = addslashes($value);
$value = strip_tags($value);

echo ereg_replace("select", "nselectn", $value);
echo ereg_replace("delete", "ndeleten", $value);
echo ereg_replace("drop", "ndropn", $value);
echo ereg_replace("update", "nupdaten", $value);
echo ereg_replace("where", "nwheren", $value);

return $value;
}

reverse. hopefully you know, how this is going to work

function add_bad($value)
{
echo ereg_replace("nselectn", "select", $value);
echo ereg_replace("ndeleten", "delete", $value);
echo ereg_replace("ndropn", "drop", $value);
echo ereg_replace("nupdaten", "update", $value);
echo ereg_replace("nwheren", "where", $value);
$value = stripslashes($value);

return $value;
}

source, mysite http://www.rokda.info/forum/sutra14.html#14

h4xbox · 11-03-2005, 08:23 PM

Are u sure you made the code by yourself ??
I think i saw it in packetstorm

11-03-2005, 09:59 PM

what dude

lame

i made it dude, there is nothing in it

i doubt they used the same technique

there r many many combinations one can use

h4xbox · 12-03-2005, 09:38 AM

I dunno anything abt hacking / scripts

... You are genius

ngcoders · 12-03-2005, 11:47 AM

Try this

I made this as someone had reported XSS vurnebilities in my S/w . This will strip everything and will not also allow incorrect entries though the forms ( more of a quick fix ) . Youll have to decode appropiately while displaying .

Code:

<?php
/*This will strip html from every variable unless it contains the word text ( introtext ) */
/* also this will conver all ' and " into text due to problems with sqlite and others */

function dbencode($str)
	{
	$str = addslashes($str);
	$str = str_replace(array("\r","\n","\\","'","\""),array("[CR]","[NL]","[ES]","[SQ]","[DQ]"), $str);
	return $str;
	}
	
function dbdecode($str)
	{
	$str = str_replace(array("[CR]","[NL]","[ES]","[SQ]","[DQ]"),array("\r","\n","\\","'","\""), $str);
	return stripslashes($str);
	}
	
function check_var($var,$val)
{
if(!defined( "_VALID_LM_ADMIN") && !strstr($var,'text'))
{
$val=utf8_decode($val);
$val=strip_tags($val);
}
if(is_array($val))return $val;
return dbencode($val);
}

foreach($_POST as $postvar => $postval){ ${$postvar} = check_var($postvar,$postval); }
foreach($_GET as $getvar => $getval){ ${$getvar} = check_var($getvar,$getval); }

?>

11-03-2005, 05:29 PM	#1 (permalink)
sunnydiv Guest Posts: n/a	mysql attack, prevention i made this following code, to hope it will protect from mysql injection tell me if u find a bug or something function remove_bad($value) { $value = addslashes($value); $value = strip_tags($value); echo ereg_replace("select", "nselectn", $value); echo ereg_replace("delete", "ndeleten", $value); echo ereg_replace("drop", "ndropn", $value); echo ereg_replace("update", "nupdaten", $value); echo ereg_replace("where", "nwheren", $value); return $value; } reverse. hopefully you know, how this is going to work function add_bad($value) { echo ereg_replace("nselectn", "select", $value); echo ereg_replace("ndeleten", "delete", $value); echo ereg_replace("ndropn", "drop", $value); echo ereg_replace("nupdaten", "update", $value); echo ereg_replace("nwheren", "where", $value); $value = stripslashes($value); return $value; } source, mysite http://www.rokda.info/forum/sutra14.html#14

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine

	Advertisements. Register and be a member of the community to get rid of them.
Advertisement

11-03-2005, 08:23 PM	#2 (permalink)
h4xbox In The Zone Join Date: Feb 2005 Location: Anonymous Posts: 204	Are u sure you made the code by yourself ?? I think i saw it in packetstorm

11-03-2005, 09:59 PM	#3 (permalink)
sunnydiv Guest Posts: n/a	what dude lame i made it dude, there is nothing in it i doubt they used the same technique there r many many combinations one can use

12-03-2005, 09:38 AM	#4 (permalink)
h4xbox In The Zone Join Date: Feb 2005 Location: Anonymous Posts: 204	I dunno anything abt hacking / scripts ... You are genius