Database (help) :(

01/26/2010 06:57 Nosferatu.#1
Hello Dudes

I got a Problem , my Character database was Droped by a SQL Injection (i think) and i dont want open anymore cuz it is not command there to stop such attacks.


i was looking for a comand like

mysql_escape_string()
mysql_real_escape_string()

for MSSQL but i didnt found it.

Can some one give me a Tip to handle it?

BTW: My MSSQL Port is Closed for Public
01/26/2010 07:11 luck94jc#2
Hello Darnus:) i see your post and i try to finde something to help you idk i finde something good and work to you ....i give you a link i hope will be good :P [Only registered and activated users can see links. Click Here To Register...]
01/26/2010 07:17 janvier123#3
This is a real simple one. Was on IRC the other day and someone was trying to use mysql_escape_string() when trying to submit to a mssql database. So I wrote up this quick function so he could use it. although it's probably just easier to do this without a function, it's easier for some people to have it work just like mysql_escape_string().

PHP Code:
<?php
function mssql_escape_string($string_to_escape) {
$replaced_string str_replace("'","''",$string_to_escape);
return $replaced_string;
}
?>
01/26/2010 07:17 luck94jc#4
.... SQL injection - Wikipedia, the free encyclopedia i never see a error like your...
01/26/2010 07:30 Nosferatu.#5
Quote:
Originally Posted by luck94jc View Post
.... SQL injection - Wikipedia, the free encyclopedia i never see a error like your...
Yours is mysql i cant use mysql with mssql for my page i use alrddy this function

$questions = "SELECT * FROM _userdb WHERE username LIKE '".mysql_real_escape_string(addslashes($username)) ."' LIMIT 1";

But i need this function like janvier's

Janvier, i have to need add more ways like this?

$replaced_string = str_replace("'","''",$string_to_escape);
$replaced_string = str_replace(";","",$string_to_escape);

Edit: ok, i searched again in google and found it :

PHP Code:

// Begin
/*
    The muonline xweb base injection filter script
        Mssql Injection Filter, Includes arrays
-----------------------------------------------------------------
           Changelog: mu.vachev.net?mod=xweb
*/

function xw_sanitycheck($str){
    if(strpos(str_replace("''","",$str"),"'")!=false)
        return str_replace("'""''"$str);
    else
        return $str;
}

function secure($str){
    // Case of an array
    if (is_array($str)) {
        foreach($str AS $id => $value) {
            $str[$id] = secure($value);
        }
    }
    else
        $str xw_sanitycheck($str);

    return $str;
}

// Get Filter
$xweb_AI    array_keys($_GET);
$i=0;
while($i<count($xweb_AI)) {
    $_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Request Filter
$xweb_AI    array_keys($_REQUEST);
$i=0;
while($i<count($xweb_AI)) {
    $_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Post Filter
$xweb_AI    array_keys($_POST);
$i=0;
while($i<count($xweb_AI)) {
    $_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]);
    $i++;
}

// Cookie Filter (do we have a login system?)
$xweb_AI    array_keys($_COOKIE);
$i=0;
while($i<count($xweb_AI)) {
    $_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]);
    $i++;
}
// End 
10000 thanks to janvier !!!
01/26/2010 08:59 janvier123#6
easypeezy

PHP Code:
            $ready_msg preg_replace("{ACCOUNTNAME}",$row1[1],"The Account ACCOUNTNAME were successfully COINSGIVE added and COINSTAKE deducted.<br>This is the new stand Coins COINSTOTAL.</center>");
            $ready_msg preg_replace("{COINSGIVE}",$_POST['coins_p'],$ready_msg);
            $ready_msg preg_replace("{COINSTAKE}",$_POST['coins_m'],$ready_msg);
            $ready_msg preg_replace("{COINSTOTAL}",$new_coins,$ready_msg);