Help with Security

[morlets]

Hi, I host a online game and made a script for a event with a password on it. The script allows the players to type in their name, password, and a skin of their choice. Right now it has no security on it and im kind of clueless on how to add it.

 

<link rel="stylesheet" href="dns.css">
<?php

include("config.php");
?>
<table border="0">

<?php	
if (isset($_GET['Update'])) {

	$SQL = "SELECT count (*) as Correct from tblBillID where Password = '".$_GET['Password']."' and BillID in (SELECT BillID from tblGameID1 where GameID = '".$_GET['GameID']."')";
                    

	$result = mssql_query($SQL,$conn);
	$row = mssql_fetch_assoc($result);

	if( $row['Correct'] > 0 )
	{
		$proc = mssql_init('sp_ResetChar', $conn);
		mssql_bind($proc, '@GameID', $_GET['GameID'], SQLVARCHAR);
		mssql_bind($proc, '@Password', $_GET['Password'], SQLVARCHAR);
		mssql_bind($proc, '@Face', $_GET['Face'], SQLINT1);
		mssql_bind($proc, '@Fame', $_GET['Fame'], SQLINT2);
                        mssql_execute($proc);

		echo "Done<br>";
	}
	else
	{
		echo "Bad pass.";

	}

}
	?>
		<tr>
	<td class="mytext">Char Editer<br><br></td>
</tr>
	<tr>
		<td class="mytext">
			<form action="shapeshift.php" method="GET">
				<table border="0">
					<tr>
						<td>GameID</td>
						<td><input type="text" name="GameID" height="5" maxlength="12" style="width: 100px;"  value="<?php echo $row['GameID'];?>"></td>
					</tr>
<tr>
						<td>Account Password</td>
						<td><input class=textin type="Password" name="Password" value="Old Password" onClick="this.value='';" onFocus="this.value='';" size="15" maxlength="15"></td>
					</tr>
						<td>Face</td>
						<td><option value="<?php echo $row['Face'];?>">  


<select name="Face" size="1">
  <option value="<?php echo $row['Face'];?>"><?php

$current = $row['Face'];
$numbers = array('0', '1', '2', '3', '4', '5', '6', '7', '8');

$names   = array('Philar', 'Azlar', 'Sadad', 'Destino', 'Jarexx', 'Canon', 'Kitara', 'Lunarena', 'Lavita');

$php    = $current;
$output  = str_replace($numbers, $names, $php);
echo $output;
?>  (current)</option>
  <option value="0">Philar</option>
  <option value="1">Azlar</option>
  <option value="2">Sadad</option>
  <option value="3">Destino</option>
  <option value="4">Jarexx</option>
  <option value="5">Canon</option>
  <option value="6">Kitara</option>
  <option value="7">Lunarena</option>
  <option value="8">Lavita</option>
</select>
</td>

					<tr>
						<td>Honor</td>
						<td><input type="text" name="Fame" height="5" maxlength="5" style="width: 100px;"  value="<?php echo $row['Fame'];?>">  Red<input type="radio" name="Fame" value="-1000">Blue<input type="radio" name="Fame" value="1000"></td>
					</tr>

					<tr>
						<td></td>
						<td><input type="submit" name="UpdateChar" value="Update Character">
					</tr>
				</table>
				<input type="hidden" name="Update" value="update">
			</form>
		</td>
	</tr>
				</table>

 

Any help would greatly be appreciated

[kratsg]

To start, you should validate and clean the inputs before you use them in a query.

 

IE: you're not going to accept strings for the game id (like ?game_id=this_is_a_string).

 

For cleaning the inputs before inserting them in a query, use the $clean_var = mysql_real_ecape_string($var) function.

 

Google "SQL Injection" for more information on that topic.

[morlets]

 

PHP isnt my thing. I treid to google scripts or ways to block sql injection but I cant seem to find a site to explain it well enough for someone that dont know much about PHP to insert some code to fix my problem.

 

Im looking for a code to block everything but letters and numbers when someone types the login or pass to "try" and stop most simple sql injections. Or if anyone can help me out with some info.. links.. or code to help block it even better.

 

Thank you for your time

[asmith]

check your $_POST values with this:

 

for example for  $_GET['Password']

 

if (!preg_match("/^[a-zA-Z0-9]+$/", $_GET['Password']))

    echo 'Please type only letters and numbers.';

[premiso]

<?php
$test = array("this1valid", "this not valid", "thisvalid", "12345", "!@#notvalid", ".not valid");

foreach ($test as $tes) {
if ((preg_match("~^[A-Za-z0-9]+$~si", $tes) > 0)) 
	echo "$tes <b>was valid</b><Br />";
}
die();
?>

 

preg_match. What you will want to look into is Regular Expressions for limiting items/checking fields for stuff you do not want.

 

A great site for help with Regular Expressions is http://www.regular-expressions.info/repeat.html

 

EDIT: Posting same method but with link to a site to help with the regular expressions.

[morlets]

Thank you very much for your help

[Rommeo]

SQL injection is not a very big problem to solve i think ( is it ? ) ..

SQL injection is possible when you dont control the values for post / get..

so as i know, if you check and validate the values before you execute there is nothing to worry about..

[kratsg]

SQL injection is not a very big problem to solve i think ( is it ? ) ..

SQL injection is possible when you dont control the values for post / get..

so as i know, if you check and validate the values before you execute there is nothing to worry about..

 

Even though I may validate my GET and POST. I always escape all strings before they are used in a query... If I retrieve a GET or POST value such as:

$fid = (int)$_GET['fid'];

 

I KNOW that $fid will be an integer no matter what (maybe I'm wrong on the "no matter what" part?) so I don't escape it. However, you can't check for things like comments on a forum (it's not like you can check to see if their message is a message by going like if(valid_message($message)) because you can really (a) filter bad words, (b) filter any tags out, © check it's length. After that, you still want to escape it in case there are single quotes or double quotes.. Honestly, it's not a HUGE deal. addslashes() can really do the same thing.. but I prefer mysql_real_escape_string.)