Security

cry of war · March 7, 2008

I have a file I like to call my brain. It does all my central logic and logging of all actions done by the user. Seeing as how this is the Center of my website I need to protect it as best as possible. I was wondering if you guys seeing as I know half you know how to hack a website with unbelievable ease. I was wondering what would be the best way to stop some one from hacking you. And at the same time allow the script to tell that you are being hacked. I can tell if I am being brute forced hacked and I have a script for that but how do I tell if I am under a Injection attack and how is the best way to completely stop it? I know addslashes and stripslashes are to good ones but I know they dont stop them all.

Daniel0 · March 7, 2008

What do you want to protect yourself? How do you currently do and how does your current code look?

cry of war · March 7, 2008

heres what i have done so far

<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
/***MySQLconnect***/
$host="nbl;ja;sdf";
$user="blahblbalh";
$password="blahblahbalh";
/***databaseconnect***/
$databasename= "game";
/****coding****/
$link = mysql_connect("$host", "$user", "$password");

if ( !is_resource( $link ) )
                echo "Failed to connect to the MySQL service.<br />";

			/**if (!$link) {
    die("Could not connect: " . mysql_error());
}**/
$db_selected = mysql_select_db("$databasename");
if (!$db_selected) {
    die("Could not select database: " . mysql_error());
}


?>
<?php
include "tablemaker.php";
$debug="1";
$block="";
global $error;
if (!isset($block)){
$casenum=rand(1, 25);
switch ($casenum) {
case 1: 	 include ""; die; break;
case 2: 	 include ""; die; break;
case 3: 	 include ""; die; break;
case 4: 	 include ""; die; break;
case 5: 	 include ""; die; break;
case 6:	 include ""; die; break;
case 7: 	 include ""; die; break;
case 8:	 include ""; die; break;
case 9: 	 include ""; die; break;
case 10:	 include ""; die; break;
case 11:	 include ""; die; break;
case 12:	 include ""; die; break;
case 13:	 include ""; die; break;
case 14:	 include ""; die; break;
case 15:	 include ""; die; break;
case 16:	 include ""; die; break;
case 17:	 include ""; die; break;
case 18:	 include ""; die; break;
case 19:	 include ""; die; break;
case 20:	 include ""; die; break;
case 21:	 include ""; die; break;
case 22:	 include ""; die; break;
case 23:	 include ""; die; break;
case 24:	 include ""; die; break;
case 25:	 include ""; die; break;
}
}
function sqlQuery( $mysqlQuery, $link, $debug ) {			
if (!isset($UserID)){
	$UserID="0";
					}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\query".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nQuery Value:\"".$mysqlQuery ."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);


global $error;
if ($error=="1"){
echo "Please go <a href=\"javascript:history.back(1)\">back</a> and fix the errors that are discribed above<br>";
die;
}
        if ( $debug ){
                echo "Query: $mysqlQuery<br />";
			 $result = mysql_query( $mysqlQuery, $link );
        if ( !$result ) {
                if ( $debug )
                        die('Invalid query: ' . mysql_error());
                print "Query failed, please try again.";
                die;
        }
	}
        return;
}


/* $_Post tester*/
function Post($nameofvar,$value,$type) {
/*
type1=letters only
type2=numbers only
type3=numbers and letters only
*/
$nameofvar="";
$value="";
$type="";
$hackerstring="#$%@#$%@#$%#$%@#&@AFG";
if ($type=="1"){/*letters*/

	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alpha("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be letters only";
		}
}
if ($type=="2"){/*numbers*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_digit("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers only";
		}
}
if ($type=="3"){/*letters&numbers*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if ($type=="4"){/*Anything goes*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if ($type=="5"){/*Email*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if (isset($x)){
global $error;
if ($x=="1"){

$error="1";
			echo "The string you have input has been taken as a hacker string. To prevent this error from accuring again please try not to use ' or the word \"OR\" or a \";\"<br>";
			echo "The error was related to the word ".$nameofvar.".<br>";
if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\hacker".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nHacker Post Value:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
include "table2.php";
include "databaseconnect.php";
			sqlQuery( "INSERT INTO $tableIPlogger VALUES ('$IP','$Domain','$UserID','$Date')", $link,"1");
		}




if ($x=="2")
{
if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\post".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nPost Value:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
		return $value;
		}





if ($x=="3"){
$error="1";
		echo "You have tried to input a value where there ".$y.". The error was related to the word ".$nameofvar.". Or you have left the space blank.<br>";
		if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\invalid".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nInvalid Input:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
		}		
}
else 
{
echo "Syntax checker is not work please contact head admin;";
}
$myFile = "logs\\Poster.txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Name=>".$nameofvar."||||Value=>".$value."||||Type=>".$type."\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
/*end write*/
return;
}
?>

Sign In

Security

Recommended Posts

cry of war

Link to comment

Share on other sites

Daniel0

Link to comment

Share on other sites

cry of war

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information