Help with Anti-SQL

[Gunner54]

well as you can see im trying to test my anti-sql injector

Code:

<FORM METHOD=POST ACTION="Inject.php">
<CENTER><INPUT NAME="IJz" TYPE="text"></CENTER>
<CENTER><INPUT VALUE="Anti-Inject" TYPE="submit"></CENTER>
</FORM>

<?php
if ($_GET['$submit']){
$Test = AntiInject($_POST['IJz']);
echo '$test';
}

//Anti-Injection
function AntiInject($sql){
$sql = str_replace("SELECT", "", $sql);
return $sql;
}
?>

everything seems to go wrong... I type SQL Injection text into the box, press Submit and i want it to echo the results after going through AntiInject(); im just using the word SELECT to see if it works.

any help?

[dclamp]

well what echos out? Try putting some other text in it.

[Gunner54]

what do you mean? can you show me on my code? I only started PHP a few days ago... im more of a... C++ guy..

i dont even think it runs this...

Code:

if ($_GET['$submit']){
$Test = AntiInject($_POST['IJz']);
echo '$test';
}

what could i put as the if?

[dclamp]

here, i tested this on my server. There was a couple of problems:

• You used $_GET instead of $_POST
• You had a variable in single quotes
• variable capitalization problem (Test vs. test)
• You had $_GET[$submit']

PHP Code:

<FORM METHOD=POST ACTION="test1.php">
<CENTER><INPUT NAME="IJz" TYPE="text"></CENTER>
<CENTER><INPUT VALUE="Anti-Inject" name="submit" TYPE="submit"></CENTER>
</FORM>

<?php
if ($_POST['submit']){
    $test = AntiInject($_POST['IJz']);
    echo $test;
}

//Anti-Injection
function AntiInject($sql){
    $sql = str_ireplace("select", "", $sql);
    return $sql;
}
?>

[superbovine]

what do you mean? can you show me on my code? I only started PHP a few days ago... im more of a... C++ guy..

i dont even think it runs this...

Code:

if ($_GET['$submit']){
$Test = AntiInject($_POST['IJz']);
echo '$test';
}

what could i put as the if?

Code:

echo '$test';

is similar to:

Code:

string strVar = "test";

cout << "strVar" << endl; //will print "strVar"
cout << strVar << endl; //will print "test"

[penagate]

This is a needlessly complex way of trying to prevent SQL injection. You should ideally use a data access library, such as PDO or mysqli, which supports parameterised statements. These avoid any chance of injection when used properly.

[dclamp]

nice touch at the end "when used properly"

I want to continue with my site properly, can you show my mysqli or pdo?

[dclamp]

I looked on php.net, and mysqli looks exactly like mysql syntax, just with the "i" appended to the end. if most of all the syntax is the same, then i can just go through and add the i to the end.

is this true pena?

[penagate]

No, you should use prepared statements.

http://php.net/manual/en/function.mysqli-stmt-prepare

Also, the object-oriented syntax is preferable, although not necessary.

[dclamp]

that looks alot harder then it should be. Do you personally use that? I am not sure if i want to convert every thing to prepared statements

[RudiVisser]

Don't forget to

PHP Code:

mysql_real_escape_string() 


too, just an extra security layer.

[penagate]

But don't do that if using parameters.

[visualAd]

that looks alot harder then it should be. Do you personally use that? I am not sure if i want to convert every thing to prepared statements

It's actually a lot easier.