| | I was wondering on tips on the best way to set up your php site if you had a game to make it where sql injection didn't work on your game. |
|
|
|
You can make your own checking function to strip strange characters and quotation marks, but you might as well use the excellent PEAR DB functions for just that issue. And Trap17 has PEAR installed, so you don't have to worry about that either.Just use the prepare() and execute() functions like so:CODE<things you want to do here> require_once("PEAR.php"); require_once&#... read more.
SQL Injection occurs via an input form (like a login), where the form accepts special characters (like !@#$%^ etc..). One of the easiest/best ways to prevent such a compromise is to disallow any special characters and force users to only use alphanumeric values when supplying input via a web-form (abc...123...).
Even spaces should be considered invalid, since SQL injection involves the use of an SQL statement containing spaces to seperate keywords (select * from [table]). Also, you should use a URL Decoding method before validating the input, that way a %20 would get converted to a space, and filtered out (as well as any other invalid encoded characters). Doing that should thwart about 95% (if not 100%) of any SQL Injection techniques...
Create some function that strips the bad chars from the $vars, like |'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful.
QUOTE(FaLgoR @ Jun 14 2005, 01:11 AM) Create some function that strips the bad chars from the $vars, like |'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful.  is there a function in php which will let only accept alphabet letters and numbers?.
What I do is create an array of characters that I allow (Letters, numbers, spaces and/or underscores). Then I replace all those with "", and if there's still stuff in the string (if($str != "")) then I kill the script and prompt for a new string.
PHP to allow only letters/numbers:
CODE function isAlphaNumeric( $szInput ) { return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput ); } // usage: if( isAlphaNumeric( 'mystring123' ) ) { // valid }else { // invalid } I hope that helps! CODE function is_alphanum($str) { if(ctype_alnum($str)) { return true; } else { return false; } } Then you just do something like CODE if(is_alphanum($text)) { echo "Alphanumeric"; } else { echo "Not alphanumeric"; } Or you could just skip the function step, but whatever. I apologize if there's something wrong with this post, I have to connect to Trap non-graphically through my school because I can't load it on my home connection.
Thanks for all the posts. This will help me alot with things. Yeah I had wondred where this post went after I posted it cause I couldn't find it then...boom there it is. Yay. I'm gonna save everything all of you posted to a word pad document to get to faster without having to log into here when I am off working on coding my game.
Another suprisingly simple tehnique is to name databases and tables with random names. For example people often look for a database called forum or phpbb etc. to inject a phpBB forum. If you use weird names it can be a last line of defence if they get through the script.
Latest Entries
You can make your own checking function to strip strange characters and quotation marks, but you might as well use the excellent PEAR DB functions for just that issue. And Trap17 has PEAR installed, so you don't have to worry about that either.
Just use the prepare() and execute() functions like so: CODE <things you want to do here> require_once("PEAR.php"); require_once("DB.php"); PEAR::setErrorHandling(PEAR_ERROR_DIE, "Aaaaargh! Error: %s"); $conn = DB::connect("mysql://username:password@localhost/databasename"); $preparedstatement = $conn->prepare('INSERT INTO tablename (field1, field2, field3, field4) VALUES (?, ?, ?, ?)'); $data = array($variable1, $variable2, $variable3, $variable4); $conn->execute($preparedstatement, $data); } You will obviously have to change usernames/passwords/db name and set the variables and change table and field names to whatever you are using.  And if it's a guestbook or forum like thing you might want to do something like: CODE $variable=htmlspecialchars($_POST['variable'], ENT_QUOTES); to set HTML entitys.PEAR is a bunch of PHP packages with all sorts of handy functions. You can get more info about PEAR at pear.php.net and more about the PEAR DB package and how to use it here.
Recent Queries:-
Keywords : stop, sql, injections, sql, injection
How to stop people from doing this... (9) Does anyone know how to keep people from using SQL injection on my site, like stop them from Looking for stop, sql, injections, sql, injection
|
|
 Best Way To Stop Sql Injections - sql injection |
| ADD REPLY / Got an Opinion! | a humble request :-) | RAPID SEARCH! | Free Hosting | [X] |
|
Express your Opinions, Thoughts or Contribute your information that might help someone here. Ask your Doubts & Queries to get answers.. "Together, We enlight each other!" |
Register FREE for AD-FREE forum, Create your own topics, Ask Questions, track topics, setup subscriptions & notifications and Get a Free Website w/ Email and FTP. | 500MB Space *No Ads*, CPanel, FTP, PHP, MySQL, EMails - 100% FREE |
|