[Releases]SQL injection PHP

[banktakung]

PHP Code:

<?php 
$ip = $_SERVER['REMOTE_ADDR']; 
$time = date("l dS of F Y h:i:s A"); 
$script = $_SERVER[PATH_TRANSLATED]; 
$fp = fopen ("[WEB]SQL_Injection.txt", "a+"); 
$sql_inject_1 = array(";","928db812f6c9dc1db9d9c36a1065db98","x","'\'","\'","'","CHARACTER_TBL","drop","dbo","tbl","table","dump","db","sp_executesql","union","insert","cast","create","char","convert","alter","declare","order","script","set","benchmark","encode","or","INVENTORY_TBL","PREMIUM_SHOP_TBL","MAIL_TBL","SKILLINFLUENCE_TBL","update","delete","select","shutdown","CHARACTER_01_DBF","ACCOUNT_DBF","LOGGING_01_DBF","%","exec"); #Whoth need replace 
$sql_inject_2 = array("", "","","""); #To wont replace 
$GET_KEY = array_keys($_GET); #array keys from $_GET 
$POST_KEY = array_keys($_POST); #array keys from $_POST 
$COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE 
/*begin clear $_GET */ 
for($i=0;$i<count($GET_KEY);$i++) 
{ 
$real_get[$i] = $_GET[$GET_KEY[$i]]; 
$_GET[$GET_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]])); 
if($real_get[$i] != $_GET[$GET_KEY[$i]]) 
{ 
fwrite ($fp, "IP: $ip\r\n"); 
fwrite ($fp, "Method: GET\r\n"); 
fwrite ($fp, "Value: $real_get[$i]\r\n"); 
fwrite ($fp, "Script: $script\r\n"); 
fwrite ($fp, "Time: $time\r\n"); 
fwrite ($fp, "==================================\r\n"); 
} 
} 
/*end clear $_GET */ 
/*begin clear $_POST */ 
for($i=0;$i<count($POST_KEY);$i++) 
{ 
$real_post[$i] = $_POST[$POST_KEY[$i]]; 
$_POST[$POST_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_POST[$POST_KEY[$i]])); 
if($real_post[$i] != $_POST[$POST_KEY[$i]]) 
{ 
fwrite ($fp, "IP: $ip\r\n"); 
fwrite ($fp, "Method: POST\r\n"); 
fwrite ($fp, "Value: $real_post[$i]\r\n"); 
fwrite ($fp, "Script: $script\r\n"); 
fwrite ($fp, "Time: $time\r\n"); 
fwrite ($fp, "==================================\r\n"); 
} 
} 
/*end clear $_POST */ 
/*begin clear $_COOKIE */ 
for($i=0;$i<count($COOKIE_KEY);$i++) 
{ 
$real_cookie[$i] = $_COOKIE[$COOKIE_KEY[$i]]; 
$_COOKIE[$COOKIE_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_COOKIE[$COOKIE_KEY[$i]])); 
if($real_cookie[$i] != $_COOKIE[$COOKIE_KEY[$i]]) 
{ 
fwrite ($fp, "IP: $ip\r\n"); 
fwrite ($fp, "Method: COOKIE\r\n"); 
fwrite ($fp, "Value: $real_cookie[$i]\r\n"); 
fwrite ($fp, "Script: $script\r\n"); 
fwrite ($fp, "Time: $time\r\n"); 
fwrite ($fp, "==================================\r\n"); 
} 
} 

/*end clear $_COOKIE */ 
fclose ($fp); 

function xw_sanitycheck($str){
    if(strpos(str_replace("''",""," $str"),"'")!=false)
        return str_replace("'", "''", $str);
    else
        return $str;
}

function secure($str){
    // Case of an array
    if (is_array($str)) {
        foreach($str AS $id => $value) {
            $str[$id] = secure($value);
        }
    }
    else
        $str = xw_sanitycheck($str);

    return $str;
}

// Get Filter
$xweb_AI    = array_keys($_GET);
$i=0;
while($i<count($xweb_AI)) {
    $_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Request Filter
$xweb_AI    = array_keys($_REQUEST);
$i=0;
while($i<count($xweb_AI)) {
    $_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Post Filter
$xweb_AI    = array_keys($_POST);
$i=0;
while($i<count($xweb_AI)) {
    $_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]);
    $i++;
}

// Cookie Filter (do we have a login system?)
$xweb_AI    = array_keys($_COOKIE);
$i=0;
while($i<count($xweb_AI)) {
    $_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]);
    $i++;
}
// End
?>

web ai is from rag/zone modify by me.

you can insert filter in $sql_inject_1 and $sql_inject_2

test and enjoy.

[Sammyz]

Um so yea, you modified this so you say but the only real difference is the password hash and "x" which make no sense as to why you would even filter these to begin with.

Things such as -- should also be added, or any symbol for that matter as well as it's ASCII equivalent.

Only alpha-numeric should be allowed.

[banktakung]

you can add in $sql_inject_1 that i said -.-!

[Jay Niize]

everything u need. xoxo