Anti sql injection PHP

by bAnga 16 Aug 2011, 19:51 Journals
I need some help with a "Anti Mysql Injection" script PHP

Quote<?php
$locatie = $_SERVER['REQUEST_URI'];
$array = Array();
$array[] = "mysql";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "INSERT";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "DROP";
$array[] = "UPDATE";
$array[] = "COOKIE";
$array[] = "ENV";
$array[] = "FILES";
$array[] = "GET";
$array[] = "POST";
$array[] = "REQUEST";
$array[] = "SERVER";
foreach($array As $foutbezig) {
if(eregi($foutbezig,$locatie)) {
echo "Internet fout, ip adres doorgegeven aan domein houder.";
mail("$adminmail","Mysql Injection","Mysql Injection
IP-Adres: $_SERVER[REMOTE_ADDR]","From: $sitename <$noreply>");
exit();
}
}
?>
Comments
46
sani 16 Aug 2011, 20:56
Crossfire 3.2 - A Scripting Community
adetonian 16 Aug 2011, 21:14
why did this make me think of Pale?
Parent
altrnt 16 Aug 2011, 20:57
looks like you have no idea what you're doing, as you dont even state WHAT it is you want help with.

also variable $locatie has not been set anywhere in the above script
bAnga 16 Aug 2011, 20:58
True everything is in config.inc.php and you can't get that one.
Parent
altrnt 16 Aug 2011, 20:59
I dont want it.
Parent
bAnga 16 Aug 2011, 21:00
You can't get that one.
Parent
altrnt 16 Aug 2011, 21:00
Good luck seeking help, you seem like you know what you're doing D:
Parent
infernal 16 Aug 2011, 20:58
Zegt de man met de driehoek! Haha double triangle :PP
Parent
infernal 16 Aug 2011, 21:01
Hallo? Wat is het probleem?
Darkon 16 Aug 2011, 21:02
And where is your problem now? xD
bAnga 16 Aug 2011, 21:05
You know PHP?
Parent
Darkon 16 Aug 2011, 21:07
Why not just use mysql_real_escape_string?
Parent
bAnga 16 Aug 2011, 21:30
cuz i don't want to rebuild the admin login.
Parent
Darkon 16 Aug 2011, 21:33
thats not a big thing.
Parent
bAnga 16 Aug 2011, 21:34
I know, cuz i already rebuild it.
A bug: with a code you can login to the administration panel.
And i already tried it & only what i saw was PHP Error's.
Parent
Darkon 16 Aug 2011, 21:39
PHP Error's? Ok but if you read errors there be the explanation and lines. Just check and fix???
Parent
bAnga 16 Aug 2011, 21:41
hahaha it took me 4 days to find every error.
If i fix 1 error i will get another one & etc.
So i deleted that shit.
Parent
FiLuS 16 Aug 2011, 21:06
what are you trying to achieve with that piece of code? What you are doing is not preventing mysql injection, you are just checking strings for malicious words. If you want to prevent your SQL queries from being injected, just use mysql_real_escape_string function, easy as that...
Ronner 16 Aug 2011, 21:13
no.. just no. It's a start, but no.. just no.
Parent
FiLuS 16 Aug 2011, 21:20
assuming he just skipped google and asked this question here implicates that mysql_real_escape_string will be sufficient for him
Parent
Ronner 16 Aug 2011, 21:23
"assumption is the mother of all fuck ups"

He (well, actually anyone that does queries to a database) should use parameterized queries. (prepared statements)

http://www.php.net/manual/en/pdo.prepared-statements.php
Parent
FiLuS 16 Aug 2011, 22:46
maybe he should use some database abstraction library, or maybe he should take an advantage of using rich php frameworks and follow mvc standarts...
Parent
Ronner 16 Aug 2011, 23:00
Using MVC standards have not much to do with preventing sql injections. A Database abstraction layer is an option, but hardly something he should be looking into seeing the kind of code he's doing atm. Just going for prepared statements is step 1 for him.
Parent
Ronner 16 Aug 2011, 21:10
Why are you writing your own sql injection prevention script? (and the code btw is a quite strange way to check for sql injections)
altrnt 16 Aug 2011, 21:11
I really doubt he wrote this
Parent
Ronner 16 Aug 2011, 21:13
and why is that
Parent
skyz 16 Aug 2011, 21:13
Cool script bro
beAsty 16 Aug 2011, 22:16
just use some vulnerably scanner like acunetix ?
bira 16 Aug 2011, 22:55
Who the fuck use non-english variables in their code?
bAnga 16 Aug 2011, 22:57
Me cuz i'm dutch*
Parent
Burneddi 16 Aug 2011, 22:59
He, obviously, because he cannot into English.
Parent
Ronner 16 Aug 2011, 23:02
bad practice indeed.
Parent
im a tree 17 Aug 2011, 01:40
if you are the only developer then surely it isn't of any real importance?

i sometimes use foreign language file and variable names when writing stuff for myself, as long as i know what it means i doubt it matters
Parent
Ronner 17 Aug 2011, 11:31
Of course, most likely in his situation it doesn't matter. Doesn't change the fact that it's still bad practice which you shouldn't get used to. You never know where a piece of code might end up and what nationalities will end up working with it.
Parent
bira 18 Aug 2011, 22:13
You mean like this guy just did?
The programming language is in english, hence the variables should also be in english. End of discussion :)
Parent
bira 18 Aug 2011, 22:14
I hate bad practicers!
Parent
Back to top