SQL injections

LoLBoL · 06/28/2016, 09:30

Hello,

I recently got my server up but there already has been a huge wave of SQL injections. Now before I'm gonna wipe my db for the 3rd time now, I was wondering if there's any way to stop people from injecting.

I'm currently running with these:
xArva's launcher
NanFS
IIS7.5 w/ PHP7

Thanks in advance,
LoLBoL

Verstuurd vanaf mijn SM-G900F met Tapatalk

~~FlyffServices~~ · 06/28/2016, 09:34

Which Scripts are u using?

You should first fixx the SQL-Injection themselv before u do anything.

LoLBoL · 06/28/2016, 10:45

The 2012 php register page (was told this could cause it) and a login.php with external config. I was thinking about making an sql user with access only to account & token table but I'm not sure that will work.

Verstuurd vanaf mijn SM-G900F met Tapatalk

Venipa · 06/28/2016, 11:17

Use PDO prepare Statements

tschulian · 06/28/2016, 11:21

Show me the Website.
And I will tell you possible security issues.

If you are already using PDO, prepared Statements are easy to embedd.
If not, there are easy functions stored in classes to check every users Input.
I can provide u samples of mine.
I am using outdated mssql_ functions which are secured by my selfmade security classes and never had issues with injects.

aaaaaand now Most of those cool pro coders with bellys here are going to blame me now "menz noob why r u sing mssql_ instead of pdo blabla".

EpicFight · 06/28/2016, 17:55

Quote:

Originally Posted by LoLBoL

The 2012 php register page (was told this could cause it) and a login.php with external config. I was thinking about making an sql user with access only to account & token table but I'm not sure that will work.

Verstuurd vanaf mijn SM-G900F met Tapatalk

Register 2012 .... has no right escape string...buy the way the Register is shit

from 2012 right ?

PHP Code:



<?php 
ob_start('ob_gzhandler'); 
 
session_start(); 
 
include_once "config.php"; 
 
echo "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'> 
<html> 
<head> 
<title>".$title."</title> 
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'> 
<link href='css/style.css' rel='stylesheet' type='text/css'> 
<script language='JavaScript' type='text/JavaScript'> 
<!--  
function disabledBttn(formname) 
{ 
    if (document.all || document.getElementById) { 
        for (i=0;i<formname.length;i++) { 
            var bttn=formname.elements[i]; 
            if(bttn.type.toLowerCase()=='submit' || bttn.type.toLowerCase()=='reset' || bttn.type.toLowerCase()=='button') 
                bttn.disabled=true; 
        } 
    } 
} 
//--> 
</script> 
</head> 
 
<body leftmargin='0' topmargin='10' marginwidth='0' marginheight='0'> 
<table width='100%' height='100%' border='0' align='center' cellpadding='0' cellspacing='0'> 
  <tr> 
    <td> 
      <table width='430' border='0' align='center' cellpadding='0' cellspacing='0'> 
        <tr> 
          <td><img src='imgs/fiesta_logo.png' alt='top' width='300' height='168'></td> 
        </tr> 
        <tr> 
          <td style='font-size:5px'>&nbsp;</td> 
        </tr> 
        <tr> 
          <td align='center' bgcolor='white' style='border-bottom: solid 1px #cecece; border-top: solid 1px #cecece; border-left: solid 1px #cecece; border-right: solid 1px #cecece' class='padding_all' 
 
 
          </td> 
        </tr> 
      </table> 
 
      <br> 
 
      <table width='350' border='0' align='center' cellpadding='0' cellspacing='0'> 
        <tr> 
          <td align='center' bgcolor='white' style='border-bottom: solid 1px #cecece; border-top: solid 1px #cecece; border-left: solid 1px #cecece; border-right: solid 1px #cecece' class='padding_all'>"; 
           
    if($_POST[action]!="signup") 
    { 
 
        echo "<form method='post' onSubmit='disabledBttn(this)' action=".$_SERVER[PHP_SELF]."?id=reg".$_SERVER[QUERY_STRING]."> 
            <table width='100%' border='0' align='center' cellpadding='2' cellspacing='2'> 
              <tr> 
                <td colspan='2'><img src='imgs/signup.gif' alt='signup' width='162' height='9'></td> 
              </tr> 
              <tr> 
                <td width='10%'>Username</td><td><input type='text' name='username' size='20' maxlength='10'></td> 
              </tr> 
        <tr> 
                <td width='10%'>E-Mail</td><td><input type='text' name='email' size='20' maxlength='25'></td> 
              </tr> 
              <tr> 
                <td>Password</td><td><input type='password' name='password' size='20' maxlength='15'></td> 
              </tr> 
              <tr> 
                <td colspan='2' align='right'><input type='submit' value='register' class='button'> <input type='reset' value='clear' class='button'></td> 
              </tr> 
            </table> 
            <input type='hidden' name='action' value='signup'> 
            </form>"; 
 
    } 
    else 
    { 
        $required=array( 
            "Username"=>$_POST[username], 
    "E-Mail"=>$_POST[email], 
            "Password"=>$_POST[password], 
        ); 
 
 
 
        for($i=0;$i<count($required);$i++) 
        { 
            list($key,$value)=each($required); 
 
            if(!$value) 
                echo "<b>$key</b> is required<br>"; 
            else 
                $chkArr[]=true; 
        } 
 
function rand_string() { 
    $chars = "123456789";     
     
    $size = strlen($chars); 
    for($i = 0; $i < 5; $i++) { 
        $str .= $chars[rand(0, $size - 1)]; 
    } 
     
    return $str; 
} 
 
        if(count($chkArr)==count($required)) 
        { 
            $connection = odbc_connect( $connection_string, $user, $pass ); 
 
            if(!$func->is_valid_string($_POST[username]) && !$func->is_valid_string($_POST[password])) 
            { 
 
                $usernameP=$_POST[username]; 
                $query = "SELECT * FROM [OdinAccounts].[dbo].[tAccounts] WHERE [sUsername]='$usernameP'"; 
                $q = odbc_exec($connection, $query); 
 
                $qt = odbc_do($connection, $query); 
                $i = 0; 
                while(odbc_fetch_row($qt)) $i++; 
 
                if($i>0) 
                    echo"<b>$_POST[username]</b>, is already taken!"; 
                else 
{ 
$query = "INSERT INTO [OdinAccounts].[dbo].[tAccounts] ([nEMID],[sUsername],[sUserPass],[sUserPassSalt],[sEmail],[nAuthID],[sIP]) VALUES('".rand_string()."','$_POST[username]','$_POST[password]','$_POST[password]','$_POST[email]','3','127.0.0.1')"; 
                    $q = odbc_exec($connection, $query); 
                    if($q) 
                    echo"Username, <b>$_POST[username]</b> has been registered!"; 
                } 
            } 
            else 
                echo"Please re-enter username and password, remove all special characters!"; 
 
        } 
        echo "<br><br><a href='".$_SERVER[PHP_SELF]."?id=back'>Return</a>"; 
} 
echo "  </td> 
        </tr> 
        <tr> 
        <td bgcolor='#7f7f7f'><font color='#FFFFFF'>".$copy."</font></td> 
        </tr> 
      </table> 
    </td> 
  </tr> 
</table> 
</body> 
</html>"; 
 
    exit; 
 
ob_end_flush(); 
?>

PHP Code:



    function is_valid_string($string) { 
 
        $cfgBadChars='`~!@#$%^&*()+-_=[]{};\'\\:"|,/<>? '; 
 
        if (empty($string)) 
            return true; 
 
        for ($i = 0; $i < strlen($cfgBadChars); $i++): 
            if (strstr($string, $cfgBadChars[$i])) 
            return true; 
        endfor; 
         
        return false; 
    }

Mathias1000 · 07/02/2016, 01:55

Use mysql_real_escape_string() for all Critical inputs.... so on php.net...