trickytiger Posted August 4, 2009 Share Posted August 4, 2009 In the code for a script i'm using on my website it has code to prevent SQL Code injection, but for some reason everytime you go to a page with this code in it I get an email about a Hacking Attempt. The Code is: //This prevents SQL Code injection / XSS Attacks. function replace_meta_chars($string){ return @eregi_replace("([*])|([|])|([;]|([`])","",$string); } while(list($keyx,$valuex) = each($_REQUEST)){ if(eregi("([*])|([|])|([;])",$valuex)){ mail($set['contact_email'],"Hack Alert","There's been a SQL Injection hacking attempt. $HTTP_REFERRER $REMOTE_ADDR","FROM:".$ir['email']); echo "test"; } } reset ($_REQUEST); while(list($keyx,$valuex) = each($_REQUEST)){ ${$keyx} = replace_meta_chars($valuex); } //end anti SQL XSS script I've been studying this code and can't figure out why it keeps sending me an email. Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/ Share on other sites More sharing options...
Psycho Posted August 4, 2009 Share Posted August 4, 2009 Where did you get that code? Seems more complicated than it needs to be. Specifically this line: while(list($keyx,$valuex) = each($_REQUEST)){ I think it could be simplified as foreach ($_REQUEST as $keyx => $valuex) In any event, I don't see anything 'logically' wrong with the test being done. But, the REQUEST variable contains all data in POST, GET and COOKIE. If there is anything in only one of those variables that does contains one of the disallowed characters you will receive an email. Personally, that is a stupid test in my opinion. Did you tell the user they can't use those characters? Even so, why should you care if someone does use those characters? Your code should properly handle those characters using mysql_real_escape_string() function. So, there is no reason to disallow those characters or even do a "hack" check. But, if you really want to know why you are getting the emails, just add additional information to the email to identify the variable and value where the error is being triggered. while(list($keyx,$valuex) = each($_REQUEST)){ if(eregi("([*])|([|])|([;])",$valuex)){ $msg = "There's been a SQL Injection hacking attempt. $HTTP_REFERRER $REMOTE_ADDR\n\n"; $msg .= "Key: $keyx\n Value: $valuex"; mail($set['contact_email'],"Hack Alert", $msg,"FROM:".$ir['email']); echo "test"; } } However the REQUEST variable won't be able to tell you where that key/value is coming from (i.e. POST, GET, COOKIE). Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890766 Share on other sites More sharing options...
trickytiger Posted August 4, 2009 Author Share Posted August 4, 2009 I got this code from the GeN3 PTC script Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890772 Share on other sites More sharing options...
trickytiger Posted August 4, 2009 Author Share Posted August 4, 2009 ok, after adding the code you suggested this is what i get: There's been a SQL Injection hacking attempt. Key: __utmz Value: 265474251.1249069436.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none) Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890775 Share on other sites More sharing options...
Psycho Posted August 4, 2009 Share Posted August 4, 2009 You paid for that? Well, then, use it if you wish. I also think that code is less than optimal based upon the fact that one page load can cause multiple emails if multiple values have the disallowed characters. I would consider one request with multiple questionable values as a single "hack" attempt. Well, the results you received show that there is a key in either POST, GET or COOKIE of the name '__utmz' with a value of: 265474251.1249069436.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none) You will have to determine if you need/want that value and take appropriate action. Either take out the code that creates that value, modify it to not use the | character, remove the "hack" validation script, etc. etc. EDIT: A quick google search seems to indicate that value is a cookie and is related to Google Analytics. Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890781 Share on other sites More sharing options...
trickytiger Posted August 4, 2009 Author Share Posted August 4, 2009 Yes I paid for it and knew there may still be bugs in it. Everything else seems to work perfectly. do you know of anyway that i may be able to remove it doing that cookie? Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890804 Share on other sites More sharing options...
Psycho Posted August 4, 2009 Share Posted August 4, 2009 Yes, but to be honest, after doing a little more digging the whole "PTC" thing seems a little shady to me. All I found were numerous forum posts of immature arguments over which PTC script was the best and which ones have been "nulled", etc. Plus, there were numerous references to torrents and warez. I'm not comfortable in helping you to do something that may not be above board. Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890815 Share on other sites More sharing options...
trickytiger Posted August 4, 2009 Author Share Posted August 4, 2009 ok, i've posted on the ptcpay forums since they made the script and hopefully they will come up with a fix, otherwise the only option is to remove the code or the part that sends me the email unless i can figure it out. Quote Link to comment https://forums.phpfreaks.com/topic/168822-prevent-sql-code-injection/#findComment-890842 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.