Jump to content

Security


cry of war

Recommended Posts

I have a file I like to call my brain. It does all my central logic and logging of all actions done by the user. Seeing as how this is the Center of my website I need to protect it as best as possible. I was wondering if you guys seeing as I know half you know how to hack a website with unbelievable ease. I was wondering what would be the best way to stop some one from hacking you. And at the same time allow the script to tell that you are being hacked. I can tell if I am being brute forced hacked and I have a script for that but how do I tell if I am under a Injection attack and how is the best way to completely stop it? I know addslashes and stripslashes are to good ones but I know they dont stop them all.

Link to comment
https://forums.phpfreaks.com/topic/94935-security/
Share on other sites

heres what i have done so far

<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
/***MySQLconnect***/
$host="nbl;ja;sdf";
$user="blahblbalh";
$password="blahblahbalh";
/***databaseconnect***/
$databasename= "game";
/****coding****/
$link = mysql_connect("$host", "$user", "$password");

if ( !is_resource( $link ) )
                echo "Failed to connect to the MySQL service.<br />";

			/**if (!$link) {
    die("Could not connect: " . mysql_error());
}**/
$db_selected = mysql_select_db("$databasename");
if (!$db_selected) {
    die("Could not select database: " . mysql_error());
}


?>
<?php
include "tablemaker.php";
$debug="1";
$block="";
global $error;
if (!isset($block)){
$casenum=rand(1, 25);
switch ($casenum) {
case 1: 	 include ""; die; break;
case 2: 	 include ""; die; break;
case 3: 	 include ""; die; break;
case 4: 	 include ""; die; break;
case 5: 	 include ""; die; break;
case 6:	 include ""; die; break;
case 7: 	 include ""; die; break;
case 8:	 include ""; die; break;
case 9: 	 include ""; die; break;
case 10:	 include ""; die; break;
case 11:	 include ""; die; break;
case 12:	 include ""; die; break;
case 13:	 include ""; die; break;
case 14:	 include ""; die; break;
case 15:	 include ""; die; break;
case 16:	 include ""; die; break;
case 17:	 include ""; die; break;
case 18:	 include ""; die; break;
case 19:	 include ""; die; break;
case 20:	 include ""; die; break;
case 21:	 include ""; die; break;
case 22:	 include ""; die; break;
case 23:	 include ""; die; break;
case 24:	 include ""; die; break;
case 25:	 include ""; die; break;
}
}
function sqlQuery( $mysqlQuery, $link, $debug ) {			
if (!isset($UserID)){
	$UserID="0";
					}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\query".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nQuery Value:\"".$mysqlQuery ."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);


global $error;
if ($error=="1"){
echo "Please go <a href=\"javascript:history.back(1)\">back</a> and fix the errors that are discribed above<br>";
die;
}
        if ( $debug ){
                echo "Query: $mysqlQuery<br />";
			 $result = mysql_query( $mysqlQuery, $link );
        if ( !$result ) {
                if ( $debug )
                        die('Invalid query: ' . mysql_error());
                print "Query failed, please try again.";
                die;
        }
	}
        return;
}


/* $_Post tester*/
function Post($nameofvar,$value,$type) {
/*
type1=letters only
type2=numbers only
type3=numbers and letters only
*/
$nameofvar="";
$value="";
$type="";
$hackerstring="#$%@#$%@#$%#$%@#&@AFG";
if ($type=="1"){/*letters*/

	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alpha("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be letters only";
		}
}
if ($type=="2"){/*numbers*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_digit("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers only";
		}
}
if ($type=="3"){/*letters&numbers*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if ($type=="4"){/*Anything goes*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if ($type=="5"){/*Email*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if (isset($x)){
global $error;
if ($x=="1"){

$error="1";
			echo "The string you have input has been taken as a hacker string. To prevent this error from accuring again please try not to use ' or the word \"OR\" or a \";\"<br>";
			echo "The error was related to the word ".$nameofvar.".<br>";
if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\hacker".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nHacker Post Value:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
include "table2.php";
include "databaseconnect.php";
			sqlQuery( "INSERT INTO $tableIPlogger VALUES ('$IP','$Domain','$UserID','$Date')", $link,"1");
		}




if ($x=="2")
{
if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\post".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nPost Value:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
		return $value;
		}





if ($x=="3"){
$error="1";
		echo "You have tried to input a value where there ".$y.". The error was related to the word ".$nameofvar.". Or you have left the space blank.<br>";
		if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\invalid".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nInvalid Input:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
		}		
}
else 
{
echo "Syntax checker is not work please contact head admin;";
}
$myFile = "logs\\Poster.txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Name=>".$nameofvar."||||Value=>".$value."||||Type=>".$type."\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
/*end write*/
return;
}
?>

Link to comment
https://forums.phpfreaks.com/topic/94935-security/#findComment-486307
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.