Daehawk 0 Report post Posted June 12, 2005 I was wondering on tips on the best way to set up your php site if you had a game to make it where sql injection didn't work on your game. Share this post Link to post Share on other sites
SystemWisdom 0 Report post Posted June 13, 2005 SQL Injection occurs via an input form (like a login), where the form accepts special characters (like !@#$%^ etc..). One of the easiest/best ways to prevent such a compromise is to disallow any special characters and force users to only use alphanumeric values when supplying input via a web-form (abc...123...). Even spaces should be considered invalid, since SQL injection involves the use of an SQL statement containing spaces to seperate keywords (select * from [table]). Also, you should use a URL Decoding method before validating the input, that way a %20 would get converted to a space, and filtered out (as well as any other invalid encoded characters). Doing that should thwart about 95% (if not 100%) of any SQL Injection techniques... Share this post Link to post Share on other sites
FaLgoR 0 Report post Posted June 13, 2005 Create some function that strips the bad chars from the $vars, like |'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful. Share this post Link to post Share on other sites
karlo 0 Report post Posted June 17, 2005 Create some function that strips the bad chars from the $vars, like |'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful. 150656[/snapback] is there a function in php which will let only accept alphabet letters and numbers?. Share this post Link to post Share on other sites
beeseven 0 Report post Posted June 17, 2005 What I do is create an array of characters that I allow (Letters, numbers, spaces and/or underscores). Then I replace all those with "", and if there's still stuff in the string (if($str != "")) then I kill the script and prompt for a new string. Share this post Link to post Share on other sites
serverph 0 Report post Posted June 17, 2005 might be helpful: http://www.unixwiz.net/techtips/sql-injection.html Share this post Link to post Share on other sites
SystemWisdom 0 Report post Posted June 17, 2005 PHP to allow only letters/numbers: function isAlphaNumeric( $szInput ){ return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput );}// usage:if( isAlphaNumeric( 'mystring123' ) ){ // valid}else{ // invalid} I hope that helps! Share this post Link to post Share on other sites
beeseven 0 Report post Posted June 18, 2005 I don't think that there's a premade function, but you can write one, it's not that hard considering there's a function that checks if something is alphanumeric. function is_alphanum($str) { if(ctype_alnum($str)) { return true; } else { return false; }}Then you just do something like if(is_alphanum($text)) { echo "Alphanumeric";} else { echo "Not alphanumeric";}Or you could just skip the function step, but whatever. I apologize if there's something wrong with this post, I have to connect to Trap non-graphically through my school because I can't load it on my home connection. Share this post Link to post Share on other sites
Daehawk 0 Report post Posted June 18, 2005 Thanks for all the posts. This will help me alot with things. Yeah I had wondred where this post went after I posted it cause I couldn't find it then...boom there it is. Yay. I'm gonna save everything all of you posted to a word pad document to get to faster without having to log into here when I am off working on coding my game. Share this post Link to post Share on other sites
rvalkass 5 Report post Posted June 18, 2005 Another suprisingly simple tehnique is to name databases and tables with random names. For example people often look for a database called forum or phpbb etc. to inject a phpBB forum. If you use weird names it can be a last line of defence if they get through the script. Share this post Link to post Share on other sites
karlo 0 Report post Posted June 18, 2005 PHP to allow only letters/numbers: function isAlphaNumeric( $szInput ){ return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput );}// usage:if( isAlphaNumeric( 'mystring123' ) ){ // valid}else{ // invalid} I hope that helps! 152332[/snapback] Where did you get this code? And how did you learn to use preg function and the ereg function? Share this post Link to post Share on other sites
bjrn 0 Report post Posted June 19, 2005 You can make your own checking function to strip strange characters and quotation marks, but you might as well use the excellent PEAR DB functions for just that issue. And Xisto has PEAR installed, so you don't have to worry about that either.Just use the prepare() and execute() functions like so: <things you want to do here> require_once("PEAR.php"); require_once("DB.php"); PEAR::setErrorHandling(PEAR_ERROR_DIE, "Aaaaargh! Error: %s"); $conn = DB::connect("mysql://username:password@localhost/databasename"); $preparedstatement = $conn->prepare('INSERT INTO tablename (field1, field2, field3, field4) VALUES (?, ?, ?, ?)'); $data = array($variable1, $variable2, $variable3, $variable4); $conn->execute($preparedstatement, $data);} You will obviously have to change usernames/passwords/db name and set the variables and change table and field names to whatever you are using. And if it's a guestbook or forum like thing you might want to do something like:$variable=htmlspecialchars($_POST['variable'], ENT_QUOTES);to set HTML entitys.PEAR is a bunch of PHP packages with all sorts of handy functions. You can get more info about PEAR at pear.php.net and more about the PEAR DB package and how to use it here. Share this post Link to post Share on other sites