Member Avatar for Untam3d

I have this form, and this antinjection.
I have checked for anti injection in three places and it still is quite easily injectable.
Code:

<?PHP
$sql_server = "localhost"; //<-- MSSQL server address/ip
$sql_user = "sa"; //<-- MSSQL username
$sql_pass = "sa"; //<-- MSSQL password
$sql_data = "database"; //<-- MSSQL database
$conn=mssql_connect($sql_server,$sql_user,$sql_pass);
$xadb = mssql_select_db($sql_data,$conn);
$badchars = array(";", "'", "\"", "*", ".", "DROP", "SELECT", "UPDATE", "DELETE", "drop", 

"select","update","delete", "WHERE", "where", "INSERT", "insert");
$Data = '<html><p><p><b>Form Description</b><p>Enter Info Here:<br><form action=form.php 

method=post><input type=text name=test><br><br><input type=submit name=submit  value="Submit"></form></html>';
$char = $_POST['test'];
	if (isset($_POST['test'])){
      if(in_array($char, $badchars)) { die("INVALID CHAR!"); } else {
if(!in_array($char, $badchars)){
$ni = mssql_num_rows($findchar);
if ($ni = 1) { 
echo '<p>Blabla... <b>' , $char.' ID = ' , $findchar['ID'] , '<p>'; } else { die('ERROR'); 
	$findchar = mssql_query("select * from table where name = '$char'");
}}
}
}
echo $Data;
?>

Please note this is just test code... edited from my original, it may or may not fully work off the bat, but the basics are there.

The problem is it only stops injection if it is at the start with nothing in front of it or behind it... and even then, it doesnt stop ' placed anywhere, or semicolons placed at start.

I need all those things in bad word to make the php page die if it is entered in the form. Thanks!

  • 2 Contributors
  • 2 Replies
  • 99 Views
  • 16 Hours Discussion Span
  • Latest Post Latest Post by Untam3d

Recommended Answers

All 2 Replies

Member Avatar for pritaeas

I think you should do something like this:

$inject = false
foreach ($badchars as $bad) {
  if (strpos($char, $bad) !== false)
    $inject = true;
}
Member Avatar for Untam3d

Thanks alot! After adding an { and } at the start and end of that if, and changing = true to = $inject + 1, and changing $inject = false to $inject = 0, and having it check to make sure $inject == 0 in an if... it works perfectly, exactly as I want it to, stopping most, if not all injections. Thanks alot!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.