Click to See Complete Forum and Search --> : Help with Anti-SQL
Gunner54
Jul 31st, 2007, 02:36 PM
well as you can see im trying to test my anti-sql injector
<FORM METHOD=POST ACTION="Inject.php">
<CENTER><INPUT NAME="IJz" TYPE="text"></CENTER>
<CENTER><INPUT VALUE="Anti-Inject" TYPE="submit"></CENTER>
</FORM>
<?php
if ($_GET['$submit']){
$Test = AntiInject($_POST['IJz']);
echo '$test';
}
//Anti-Injection
function AntiInject($sql){
$sql = str_replace("SELECT", "", $sql);
return $sql;
}
?>
everything seems to go wrong... I type SQL Injection text into the box, press Submit and i want it to echo the results after going through AntiInject(); im just using the word SELECT to see if it works.
any help?
dclamp
Jul 31st, 2007, 02:44 PM
well what echos out? Try putting some other text in it.
Gunner54
Jul 31st, 2007, 02:45 PM
what do you mean? can you show me on my code? I only started PHP a few days ago... im more of a... C++ guy..
i dont even think it runs this...
if ($_GET['$submit']){
$Test = AntiInject($_POST['IJz']);
echo '$test';
}
what could i put as the if?
dclamp
Jul 31st, 2007, 02:54 PM
here, i tested this on my server. There was a couple of problems:
You used $_GET instead of $_POST
You had a variable in single quotes
variable capitalization problem (Test vs. test)
You had $_GET[$submit']
<FORM METHOD=POST ACTION="test1.php">
<CENTER><INPUT NAME="IJz" TYPE="text"></CENTER>
<CENTER><INPUT VALUE="Anti-Inject" name="submit" TYPE="submit"></CENTER>
</FORM>
<?php
if ($_POST['submit']){
$test = AntiInject($_POST['IJz']);
echo $test;
}
//Anti-Injection
function AntiInject($sql){
$sql = str_ireplace("select", "", $sql);
return $sql;
}
?>
superbovine
Aug 1st, 2007, 11:57 AM
what do you mean? can you show me on my code? I only started PHP a few days ago... im more of a... C++ guy..
i dont even think it runs this...
if ($_GET['$submit']){
$Test = AntiInject($_POST['IJz']);
echo '$test';
}
what could i put as the if?
echo '$test';
is similar to:
string strVar = "test";
cout << "strVar" << endl; //will print "strVar"
cout << strVar << endl; //will print "test"
penagate
Aug 2nd, 2007, 12:55 AM
This is a needlessly complex way of trying to prevent SQL injection. You should ideally use a data access library, such as PDO or mysqli, which supports parameterised statements. These avoid any chance of injection when used properly.
dclamp
Aug 2nd, 2007, 12:59 AM
nice touch at the end "when used properly" ;)
I want to continue with my site properly, can you show my mysqli or pdo?
dclamp
Aug 2nd, 2007, 01:02 AM
I looked on php.net, and mysqli looks exactly like mysql syntax, just with the "i" appended to the end. if most of all the syntax is the same, then i can just go through and add the i to the end.
is this true pena?
penagate
Aug 2nd, 2007, 01:12 AM
No, you should use prepared statements.
http://php.net/manual/en/function.mysqli-stmt-prepare
Also, the object-oriented syntax is preferable, although not necessary.
dclamp
Aug 2nd, 2007, 01:22 AM
that looks alot harder then it should be. Do you personally use that? I am not sure if i want to convert every thing to prepared statements
RudiVisser
Aug 2nd, 2007, 05:41 AM
Don't forget to
mysql_real_escape_string()
too, just an extra security layer.
penagate
Aug 2nd, 2007, 05:43 AM
But don't do that if using parameters.
visualAd
Aug 2nd, 2007, 05:04 PM
that looks alot harder then it should be. Do you personally use that? I am not sure if i want to convert every thing to prepared statements
It's actually a lot easier.
vbforums.com
Copyright Internet.com Inc., All Rights Reserved.