Database (help) :(

Nosferatu. · 01/26/2010, 06:57

Hello Dudes

I got a Problem , my Character database was Droped by a SQL Injection (i think) and i dont want open anymore cuz it is not command there to stop such attacks.

i was looking for a comand like

mysql_escape_string()
mysql_real_escape_string()

for MSSQL but i didnt found it.

Can some one give me a Tip to handle it?

BTW: My MSSQL Port is Closed for Public

luck94jc · 01/26/2010, 07:11

Hello Darnus

i see your post and i try to finde something to help you idk i finde something good and work to you ....i give you a link i hope will be good :P

janvier123 · 01/26/2010, 07:17

This is a real simple one. Was on IRC the other day and someone was trying to use mysql_escape_string() when trying to submit to a mssql database. So I wrote up this quick function so he could use it. although it's probably just easier to do this without a function, it's easier for some people to have it work just like mysql_escape_string().

PHP Code:



<?php
function mssql_escape_string($string_to_escape) {
$replaced_string = str_replace("'","''",$string_to_escape);
return $replaced_string;
}
?>

luck94jc · 01/26/2010, 07:17

.... SQL injection - Wikipedia, the free encyclopedia i never see a error like your...

Nosferatu. · 01/26/2010, 07:30

Quote:

Originally Posted by luck94jc

.... SQL injection - Wikipedia, the free encyclopedia i never see a error like your...

Yours is mysql i cant use mysql with mssql for my page i use alrddy this function

$questions = "SELECT * FROM _userdb WHERE username LIKE '".mysql_real_escape_string(addslashes($username)) ."' LIMIT 1";

But i need this function like janvier's

Janvier, i have to need add more ways like this?

$replaced_string = str_replace("'","''",$string_to_escape);
$replaced_string = str_replace(";","",$string_to_escape);

Edit: ok, i searched again in google and found it :

PHP Code:



 
// Begin 
/* 
    The muonline xweb base injection filter script 
        Mssql Injection Filter, Includes arrays 
----------------------------------------------------------------- 
           Changelog: mu.vachev.net?mod=xweb 
*/ 
 
function xw_sanitycheck($str){ 
    if(strpos(str_replace("''",""," $str"),"'")!=false) 
        return str_replace("'", "''", $str); 
    else 
        return $str; 
} 
 
function secure($str){ 
    // Case of an array 
    if (is_array($str)) { 
        foreach($str AS $id => $value) { 
            $str[$id] = secure($value); 
        } 
    } 
    else 
        $str = xw_sanitycheck($str); 
 
    return $str; 
} 
 
// Get Filter 
$xweb_AI    = array_keys($_GET); 
$i=0; 
while($i<count($xweb_AI)) { 
    $_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]); 
    $i++; 
} 
unset($xweb_AI); 
 
// Request Filter 
$xweb_AI    = array_keys($_REQUEST); 
$i=0; 
while($i<count($xweb_AI)) { 
    $_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]); 
    $i++; 
} 
unset($xweb_AI); 
 
// Post Filter 
$xweb_AI    = array_keys($_POST); 
$i=0; 
while($i<count($xweb_AI)) { 
    $_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]); 
    $i++; 
} 
 
// Cookie Filter (do we have a login system?) 
$xweb_AI    = array_keys($_COOKIE); 
$i=0; 
while($i<count($xweb_AI)) { 
    $_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]); 
    $i++; 
} 
// End

10000 thanks to janvier !!!

janvier123 · 01/26/2010, 08:59

easypeezy

PHP Code:



            $ready_msg = preg_replace("{ACCOUNTNAME}",$row1[1],"The Account ACCOUNTNAME were successfully COINSGIVE added and COINSTAKE deducted.<br>This is the new stand Coins COINSTOTAL.</center>");
            $ready_msg = preg_replace("{COINSGIVE}",$_POST['coins_p'],$ready_msg);
            $ready_msg = preg_replace("{COINSTAKE}",$_POST['coins_m'],$ready_msg);
            $ready_msg = preg_replace("{COINSTOTAL}",$new_coins,$ready_msg);