Help with Anti-SQL

Printable View

Jul 31st, 2007, 02:36 PM
Gunner54

Help with Anti-SQL

well as you can see im trying to test my anti-sql injector

Code:

<FORM METHOD=POST ACTION="Inject.php"> <CENTER><INPUT NAME="IJz" TYPE="text"></CENTER> <CENTER><INPUT VALUE="Anti-Inject" TYPE="submit"></CENTER> </FORM> <?php if ($_GET['$submit']){ $Test = AntiInject($_POST['IJz']); echo '$test'; } //Anti-Injection function AntiInject($sql){ $sql = str_replace("SELECT", "", $sql); return $sql; } ?>

everything seems to go wrong... I type SQL Injection text into the box, press Submit and i want it to echo the results after going through AntiInject(); im just using the word SELECT to see if it works.

any help?
Jul 31st, 2007, 02:44 PM
dclamp

Re: Help with Anti-SQL

well what echos out? Try putting some other text in it.
Jul 31st, 2007, 02:45 PM
Gunner54

Re: Help with Anti-SQL

what do you mean? can you show me on my code? I only started PHP a few days ago... im more of a... C++ guy..

i dont even think it runs this...

Code:

if ($_GET['$submit']){ $Test = AntiInject($_POST['IJz']); echo '$test'; }

what could i put as the if?
Jul 31st, 2007, 02:54 PM
dclamp

Re: Help with Anti-SQL
here, i tested this on my server. There was a couple of problems:
- You used $_GET instead of $_POST
- You had a variable in single quotes
- variable capitalization problem (Test vs. test)
- You had $_GET[$submit']
PHP Code:

<FORM METHOD=POST ACTION="test1.php"> <CENTER><INPUT NAME="IJz" TYPE="text"></CENTER> <CENTER><INPUT VALUE="Anti-Inject" name="submit" TYPE="submit"></CENTER> </FORM> <?php if ($_POST['submit']){ $test = AntiInject($_POST['IJz']); echo $test; } //Anti-Injection function AntiInject($sql){ $sql = str_ireplace("select", "", $sql); return $sql; } ?>
Aug 1st, 2007, 11:57 AM
superbovine

Re: Help with Anti-SQL

Quote:

Originally Posted by Gunner54

what do you mean? can you show me on my code? I only started PHP a few days ago... im more of a... C++ guy..

i dont even think it runs this...

Code:

if ($_GET['$submit']){ $Test = AntiInject($_POST['IJz']); echo '$test'; }

what could i put as the if?

Code:

echo '$test';

is similar to:

Code:

string strVar = "test"; cout << "strVar" << endl; //will print "strVar" cout << strVar << endl; //will print "test"
Aug 2nd, 2007, 12:55 AM
penagate

Re: Help with Anti-SQL

This is a needlessly complex way of trying to prevent SQL injection. You should ideally use a data access library, such as PDO or mysqli, which supports parameterised statements. These avoid any chance of injection when used properly.
Aug 2nd, 2007, 12:59 AM
dclamp

Re: Help with Anti-SQL

nice touch at the end "when used properly" ;)

I want to continue with my site properly, can you show my mysqli or pdo?
Aug 2nd, 2007, 01:02 AM
dclamp

Re: Help with Anti-SQL

I looked on php.net, and mysqli looks exactly like mysql syntax, just with the "i" appended to the end. if most of all the syntax is the same, then i can just go through and add the i to the end.

is this true pena?
Aug 2nd, 2007, 01:12 AM
penagate

Re: Help with Anti-SQL

No, you should use prepared statements.

http://php.net/manual/en/function.mysqli-stmt-prepare

Also, the object-oriented syntax is preferable, although not necessary.
Aug 2nd, 2007, 01:22 AM
dclamp

Re: Help with Anti-SQL

that looks alot harder then it should be. Do you personally use that? I am not sure if i want to convert every thing to prepared statements
Aug 2nd, 2007, 05:41 AM
RudiVisser

Re: Help with Anti-SQL

Don't forget to

PHP Code:

mysql_real_escape_string()

too, just an extra security layer.
Aug 2nd, 2007, 05:43 AM
penagate

Re: Help with Anti-SQL

But don't do that if using parameters.
Aug 2nd, 2007, 05:04 PM
visualAd

Re: Help with Anti-SQL

Quote:

Originally Posted by dclamp

that looks alot harder then it should be. Do you personally use that? I am not sure if i want to convert every thing to prepared statements

It's actually a lot easier.