PHP - Mysql Injection Attacks

i am using a Anti MySQL Injection my friend made for me

config.php
//Anti MySQL Injection
function anti_injection($sql) {
   // removes words that contain sql syntax
   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
   $sql = trim($sql); // strip whitespace
   $sql = strip_tags($sql); // strip HTML and PHP tags
   $sql = addslashes($sql); // quote string with slashes
   return $sql;
}

<?php 
include "./config.php";
$title = $_POST[title];
$type = $_POST[type];
$episode = $_POST[episode];
$year = $_POST[year];
$genre = $_POST[genre];
$status = $_POST[status];
$summary = $_POST[summary];
$pictures = $_POST[pictures];
$title = anti_injection($title);
$type = anti_injection($type);
$episode = anti_injection($episode);
$year = anti_injection($year);
$genre = anti_injection($genre);
$status = anti_injection($status);
$summary = anti_injection($summary);
$pictures = anti_injection($pictures); ?>
When i enter the data from the text box and click submit

it still puts the data in to the date base but it shows

]Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\studying\take 2\addin11.php on line 41

Notice: Use of undefined constant type - assumed 'type' in C:\wamp\www\studying\take 2\addin11.php on line 42

Notice: Use of undefined constant episode - assumed 'episode' in C:\wamp\www\studying\take 2\addin11.php on line 43

Notice: Use of undefined constant year - assumed 'year' in C:\wamp\www\studying\take 2\addin11.php on line 44

Notice: Use of undefined constant genre - assumed 'genre' in C:\wamp\www\studying\take 2\addin11.php on line 45

Notice: Use of undefined constant status - assumed 'status' in C:\wamp\www\studying\take 2\addin11.php on line 46

Notice: Use of undefined constant summary - assumed 'summary' in C:\wamp\www\studying\take 2\addin11.php on line 47

Notice: Use of undefined constant pictures - assumed 'pictures' in C:\wamp\www\studying\take 2\addin11.php on line 48

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

And thanks to the Anti MySQL Injection my Primary key in my database dont work :s
can you help? thank you

 is this select query code safe from injection?

try {
	$stmt = $db->prepare("SELECT * FROM posts WHERE key=$key");
	$stmt->execute();
	$row = $stmt->fetch();
} 

notice there is no bind.

$stmt->bindParam(':key', $key);

the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this...

SELECT count(*) FROM posts WHERE MATCH (file) AGAINST 
('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE)

the $key is not an array and the $key does not change it's value.
Edited by kalster, 04 January 2015 - 05:52 PM.

I currently use the following function to clean form inputs to prevent MySql injection,

Does this function do enough to prevent MySql injection? is there anything i have missed?

 
<?php

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

?>

Hey guys,

I am having a problem with making a system where it is turn based attacks.

I want it so a user can attack a monster and the monster can attack back, the output I want is like.

Code: [Select]
You hit the monster for 5.
The monster hit you for 7.
You hit the monster for 3.
The monster hit you for 6.
and so on.

I have been going at this for ages and cannot get what I want.

I had problems such as:
The monster attacking when it should be dead.
Even when the monster was dead the user would still attack.

This is the code I have now that is maybe totaly wrong, thats why I need your guys help!

Code: [Select]

        $monster_hp = 10;
$userhp =10;

for ($i=1,$n=1; $i<=$monster_hp, $n<=$userhp; $n+=$damtaken, $i+=$damdone){

$damtaken = 1*rand(1,3) + rand(1,4) + 1 + 1;
$damdone = 1*rand(1,2) + rand(1,2) + 1 + 1;

echo "You hit the monster for $damdone.<br />";

echo "The monster hit you for $damtaken. <br />";
}

The output for that is:
Code: [Select]
You hit the monster for 5.
The monster hit you for 7.
You hit the monster for 5.
The monster hit you for 5. That is wrong due to the monster having 10 hp and I have hit him for 10hp overall. I know that thats because the echo is in the loop so it has to run but I have tried so many ways to get this to work and cannot do it.

If I die, it should stop with the monsters attack and a message saying "The monster has killed you", if I win it should stop his next attack and say "You have killed the monster".

Please help me guys, you have helped me before so I know how good some of you are.

Thank you so much for anyhelp that is givin.
Ruddy.

I am having a wamp issue so I can't try these out right now.  According to the book I'm learning php with, I can easily avoid injection attacks this way:    $a= stripslashes($a); $a= mysql_real_escape_string($a);   What concerns me is the repetition of the variable, $a.  Does it matter?  Intuitively, it should.    $a changes. By the time $a hits mysql_real_escape_string it is slash-free.  So it is a totally different "value" but still contained in the original variable which may have had slashes...just has me concerned a bit.   I know PDOs are the best way. I'm not there yet, unfortunately.
Edited by baltar, 23 May 2014 - 10:36 AM.

I'm confused, can this result in css/sql injection?

Code: [Select]

if(isset($_GET['action'])){
if($_GET['action'] == 'details'){
$cupID = $_GET['cupID'];
$ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'");
$ds=mysql_fetch_array($ergebnis);

...

Some german fellow was explaining, translate to English briefly:

"$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... "

I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? 

I want to know which part of my script has the hole..as i can find lots of php script and even folder can be injected into my public_html

how they do that, and which part need to be checked? is that the upload part <enctype> or what??

thanks in advance

Hi,
I'm sure many of you heard of "pastebin", if not the short of it, is that you can submit your code (+100 languages), and you can display it to your friends via a link with syntax highlighting available.

So, One way to store the code is surely in txt files, but I would really prefer to have it stored in a mysql database.

My only concern is people trying to run a sql injection, so how do i get around all this? I don't want the user's content to be changed, but I don't want SQL injections either.. is this even possible at all?
Any tips appreciated, also if you could think of another alternative than txt files and mysql.

Will this prevent a SQL injection? I am guessing the answer is no because it is too simple.


// retrieve form data   ==========================================

$ama = $_POST['ama'];

// Check for alphanumeric characters =====================================

$string = "$ama";

$new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string);

// echo $new_string;

// Send query ===========================================================

$query = "SELECT * FROM members WHERE ama='$new_string'";
if (!mysql_query($query)){
die('Error :' .mysql_error());
}

I'm trying to use dependency injection to pass a database connection to an object but I'm not sure why it's not working.  I have my "dbClass" below that connects to a MySQL database. 

Code: [Select]
class dbClass {
public $db;

function __construct() {
$this->db = mysql_connect("localhost","username","password") or die ('Could not connect: ' . mysql_error());
return $this->db;
}
}

Then I have my "baseClass".  This is the class that I want to feed to connection too. 

Code: [Select]
class baseClass {
public $mysql_conn;

function __construct($db) {
$this->mysql_conn = $db;
$rs = mysql_select_db("webdev_db", $this->mysql_conn) or die ('Could not connect: ' . mysql_error());
}
}

And this is my index.php file.  The error I'm getting is "supplied argument is not a valid MySQL-Link resource".  However I tripled checked and my db connection details are definately correct. 

Code: [Select]
$db = new dbClass();
$baseclass = new baseClass($db);

Thanks for any help. 

Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.

The code works fine.
 

<?php 

include 'db.php';

error_reporting(E_ALL | E_WARNING | E_NOTICE);

ini_set('display_errors', TRUE);

 if(isset($_POST['submit']))

 {
    
 $username = $_POST['username']; 
$password =  ($_POST['password']); 

$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql); 
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count =  $result->num_rows;
   if($count == 1) 
                         {
while ($row = $result->fetch_assoc())
 {
    if ($row['status'] == 'blocked')

 {

 echo'your account is suspended'


   session_destroy();

   exit();

  }

 else if($row['status'] == 'active')
{

if($username !== $row['username']) 

 { 
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
} 
if($password !== $row['password']) 
{
  echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';       
}
if($username == $row['username'] && $password == $row['password']) 
{ 
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>

 

Hello,

I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself.

I'm pretty new to PHP so my code isn't great.

Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading.

I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted.

One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables?

The insert page code is:

Code: [Select]
$db = mysql_connect("localhost", "username", "password");

mysql_select_db("thedatabase",$db);
$ipaddress = mysql_real_escape_string($_POST['ipaddress']);
$theid = mysql_real_escape_string($_POST['theid']);
$gamert = mysql_real_escape_string($_POST['gamert']);
$serveron = mysql_real_escape_string($_POST['serveron']);

$check= mysql_query("select * from voting2 where ipaddress='$ipaddress'");

$ipname = mysql_fetch_assoc($check);

if($ipname['ipaddress'] == $ipaddress) {
                     echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.';


} else {
mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2)
                VALUES
('$theid','$ipaddress','$gamert','$serveron')");
 echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.';

}
How can I make it safer against SQL injection?

Thanks

i just want to ask this simple question

let say i have this basic query

$place=$_GET['place'];
mysql_query("SELECT * FROM table WHERE place='$place'");

this is a nice target for sql injection..

but what if i replace the whole special characters that could be added

$replacethis=array("-","`");
$withthis=array("","");
$place=str_replace($replacethis,$withthis,$_GET['place']);
mysql_query("SELECT * FROM table WHERE place='$place'");

Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ??

then what if i protect the file by changing the setting of the permission to either 644 or 755?
thanks in advance

im having some robots injecting gibberish

i wnat to deny amy links in the requesttext of the form
for some reason i tested it and it accepted a http link
Code: [Select]
if (preg_match("/http/i","$RequestText")){ exit();}

thanks