|
PHP - Spam Injection Protection
im having some robots injecting gibberish
i wnat to deny amy links in the requesttext of the form for some reason i tested it and it accepted a http link Code: [Select] if (preg_match("/http/i","$RequestText")){ exit();} thanks Similar TutorialsHow can you protect mysql injection? (from inserting different statements into the input field) Thanks <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo $row['username'] . ": <Br> " . $row['comment']; echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } I haven't had a problem with sql injection yet, but I'm scarred to death. I didn't do any form data validation as I was building my site. I'm just now starting to learn how. Magic_quotes is turned on at my host. I know about htmlspecialchars and mysql_real_escape_string and stripslashes and htmlentities. In testing each of these, it seems they all miss one thing or another. so, I created an array of words and characters that I can't for the life of me imagine anyone would ever need on any form in my site, that I THINK addresses most if not all of the really bad things. But hey... I'm new to this. So here is my array and using print_r() it looks pretty good. Code: [Select] $badstuff = array('select','delete','update','insert','drop','=',';','"','\'','<','>','/'); Code: [Select] Array ( [0] => select [1] => delete [2] => update [3] => insert [4] => drop [5] => select [6] => delete [7] => update [8] => insert [9] => drop [10] => = [11] => ; [12] => " [13] => ' [14] => < [15] => > [16] => / ) My str_ireplace() function works fine within the code, but I'd like to create a function using str_ireplace(). I am failing miserably. Here is my function that doesn't work... Code: [Select] function strip($string){ return str_ireplace($badstuff,"",$string); } Here below..... the first line, that uses the function does NOT work. The second line that just uses str_replace() function works fine. Code: [Select] echo strip($string).'<br>'; echo str_ireplace($badstuff,"",$string) Can anyone tell me why my function does not work? I've read and watched 20 tutorials and just can't see the problem. Thanks for any input. '[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them. Code: [Select] if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [CODE] Hey, Wondering if this would work, it is based on the idea that everyone who is a real visitor will be using a browser, is that correct? Do robots use browsers too? if so, it wont work! haha. <? $browser = mb_substr($_SERVER['HTTP_USER_AGENT'], 0, 31); if (!empty($browser)){echo '<form action="send.php" method="post">';} ?> Just thought it was nice and simple, and couldnt see anywhere if it would work or not... I have a comment section that is secure against everything except spam.. Is there anyway to do like a 10second minimum wait time between posts? hello.
im trying to password protect my pages in a simple way like this:
http://www.scottconn...ord_protection/
but for some reason it doesnt chek the login file, so it doesnt work:
<?php require_once 'login.php'; ?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
<style type="text/css">
#form1 table tr td label {
}
#form1 table {
text-align: left;
}
#wrapper {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
#wrapper2 {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
</style>
</head>
<body>
<div id="wrapper">
--<a href="tilfojer.html">Tilføj Aktivitet</a>--<br>
--<a href="tilfojtilvalg.html">Tilføj Tilvalg</a>--<br>
--<a href="tilfojrestaurant.html">Tilføj Restaurant</a>--<br>
--<a href="tilfojmenu.html">Tilføj Menu</a>--
</div>
<div id="wrapper2">
--<a href="seaktivitet.php">Se Aktiviteter</a>--<br>
--<a href="setilvalg.php">Se Tilvalg</a>--<br>
--<a href="serestaurant.php">Se Restauranter</a>--<br>
--<a href="semenu.php">Se Menuer</a>--
</div>
</body>
<a href="?logout=1">Logout</a>
</html>
that is how i implemented it. made the file an php file
can somone tell me why it doesnt work. and maybe how to make it work, and why that works
many thanks
I need to know, what i need to care about while im coding, how someone can hack my php code. Some tricks for protection pls? I want to password protect my entire website. How would I go on to doing this. There is a website that has this already (www.printerdev.co.uk). I want to do the exact same thing but not sure how to. Can someone please help me I have been getting a lot more client requests to protect files. What is the easiest way to do this. So, basically I have tried doing it outside the public directory. There are too many things that cause issues with this. I haven't been able to get a successfull implementation of this since I started working with this. So I was thinking instead about password protecting a directory that is inside public view, but still get files via PHP. Is there a way to setup a password protected directory, then retreive stuff from that directory using PHP. Or, a good way to put them outside the public folder. Everything I have tried to do to get a file to save outside of public view, has not worked. It always says uploaded but the file is never there. Also, I have verified correct permission for this as well. how would this code work? Code: [Select] if ($_POST['username'] == "[, ., ,, _, -" ){ die('Invalid characters.'); i want it to mean if there are any characters like ", [ . - _ ' " or anything in the username then die('invalid characters.'); for extra safety I have a contact form, and I want to make sure it doesn't send a bunch of duplicates if the page is refreshed after being submitted. Simple way is to make sure this record isn't identical to the one before it: select * from `contacts` where `Name`='$name' and `Phone`='$phone' and `Message`='$message' and `Subject`='$subject' and `Email`='$email' But, that checks against all records. While not likely, this could cause problems, if the same customer came back a month later and put in the same exact contact. Any way I can check it only against the very last record in the database? Something like: and `id`=XX , where XX is one less than the current auto inc id? I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ? Thanks. I'm confused, can this result in css/sql injection? Code: [Select] if(isset($_GET['action'])){ if($_GET['action'] == 'details'){ $cupID = $_GET['cupID']; $ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'"); $ds=mysql_fetch_array($ergebnis); ... Some german fellow was explaining, translate to English briefly: "$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... " I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? I am having a wamp issue so I can't try these out right now. According to the book I'm learning php with, I can easily avoid injection attacks this way:
$a= stripslashes($a);
$a= mysql_real_escape_string($a);
What concerns me is the repetition of the variable, $a. Does it matter? Intuitively, it should.
$a changes. By the time $a hits mysql_real_escape_string it is slash-free. So it is a totally different "value" but still contained in the original variable which may have had slashes...just has me concerned a bit.
I know PDOs are the best way. I'm not there yet, unfortunately.
Edited by baltar, 23 May 2014 - 10:36 AM. Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } I'm trying to use dependency injection to pass a database connection to an object but I'm not sure why it's not working. I have my "dbClass" below that connects to a MySQL database. Code: [Select] class dbClass { public $db; function __construct() { $this->db = mysql_connect("localhost","username","password") or die ('Could not connect: ' . mysql_error()); return $this->db; } } Then I have my "baseClass". This is the class that I want to feed to connection too. Code: [Select] class baseClass { public $mysql_conn; function __construct($db) { $this->mysql_conn = $db; $rs = mysql_select_db("webdev_db", $this->mysql_conn) or die ('Could not connect: ' . mysql_error()); } } And this is my index.php file. The error I'm getting is "supplied argument is not a valid MySQL-Link resource". However I tripled checked and my db connection details are definately correct. Code: [Select] $db = new dbClass(); $baseclass = new baseClass($db); Thanks for any help. i just want to ask this simple question let say i have this basic query $place=$_GET['place']; mysql_query("SELECT * FROM table WHERE place='$place'"); this is a nice target for sql injection.. but what if i replace the whole special characters that could be added $replacethis=array("-","`"); $withthis=array("",""); $place=str_replace($replacethis,$withthis,$_GET['place']); mysql_query("SELECT * FROM table WHERE place='$place'"); Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ?? then what if i protect the file by changing the setting of the permission to either 644 or 755? thanks in advance |
|||||||