Jump to content

Recommended Posts

I have a file I like to call my brain. It does all my central logic and logging of all actions done by the user. Seeing as how this is the Center of my website I need to protect it as best as possible. I was wondering if you guys seeing as I know half you know how to hack a website with unbelievable ease. I was wondering what would be the best way to stop some one from hacking you. And at the same time allow the script to tell that you are being hacked. I can tell if I am being brute forced hacked and I have a script for that but how do I tell if I am under a Injection attack and how is the best way to completely stop it? I know addslashes and stripslashes are to good ones but I know they dont stop them all.

Link to comment
https://forums.phpfreaks.com/topic/94935-security/
Share on other sites

heres what i have done so far

<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
/***MySQLconnect***/
$host="nbl;ja;sdf";
$user="blahblbalh";
$password="blahblahbalh";
/***databaseconnect***/
$databasename= "game";
/****coding****/
$link = mysql_connect("$host", "$user", "$password");

if ( !is_resource( $link ) )
                echo "Failed to connect to the MySQL service.<br />";

			/**if (!$link) {
    die("Could not connect: " . mysql_error());
}**/
$db_selected = mysql_select_db("$databasename");
if (!$db_selected) {
    die("Could not select database: " . mysql_error());
}


?>
<?php
include "tablemaker.php";
$debug="1";
$block="";
global $error;
if (!isset($block)){
$casenum=rand(1, 25);
switch ($casenum) {
case 1: 	 include ""; die; break;
case 2: 	 include ""; die; break;
case 3: 	 include ""; die; break;
case 4: 	 include ""; die; break;
case 5: 	 include ""; die; break;
case 6:	 include ""; die; break;
case 7: 	 include ""; die; break;
case 8:	 include ""; die; break;
case 9: 	 include ""; die; break;
case 10:	 include ""; die; break;
case 11:	 include ""; die; break;
case 12:	 include ""; die; break;
case 13:	 include ""; die; break;
case 14:	 include ""; die; break;
case 15:	 include ""; die; break;
case 16:	 include ""; die; break;
case 17:	 include ""; die; break;
case 18:	 include ""; die; break;
case 19:	 include ""; die; break;
case 20:	 include ""; die; break;
case 21:	 include ""; die; break;
case 22:	 include ""; die; break;
case 23:	 include ""; die; break;
case 24:	 include ""; die; break;
case 25:	 include ""; die; break;
}
}
function sqlQuery( $mysqlQuery, $link, $debug ) {			
if (!isset($UserID)){
	$UserID="0";
					}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\query".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nQuery Value:\"".$mysqlQuery ."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);


global $error;
if ($error=="1"){
echo "Please go <a href=\"javascript:history.back(1)\">back</a> and fix the errors that are discribed above<br>";
die;
}
        if ( $debug ){
                echo "Query: $mysqlQuery<br />";
			 $result = mysql_query( $mysqlQuery, $link );
        if ( !$result ) {
                if ( $debug )
                        die('Invalid query: ' . mysql_error());
                print "Query failed, please try again.";
                die;
        }
	}
        return;
}


/* $_Post tester*/
function Post($nameofvar,$value,$type) {
/*
type1=letters only
type2=numbers only
type3=numbers and letters only
*/
$nameofvar="";
$value="";
$type="";
$hackerstring="#$%@#$%@#$%#$%@#&@AFG";
if ($type=="1"){/*letters*/

	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alpha("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be letters only";
		}
}
if ($type=="2"){/*numbers*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_digit("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers only";
		}
}
if ($type=="3"){/*letters&numbers*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if ($type=="4"){/*Anything goes*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if ($type=="5"){/*Email*/
	if (preg_match($hackerstring,"$value"))
		{
		$x="1";
		}
	else if (ctype_alnum("$value")==true)
		{
		$x="2";
		}
	else
		{
		$x="3";
		$y="should be numbers and letters only";
		}
}
if (isset($x)){
global $error;
if ($x=="1"){

$error="1";
			echo "The string you have input has been taken as a hacker string. To prevent this error from accuring again please try not to use ' or the word \"OR\" or a \";\"<br>";
			echo "The error was related to the word ".$nameofvar.".<br>";
if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\hacker".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nHacker Post Value:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
include "table2.php";
include "databaseconnect.php";
			sqlQuery( "INSERT INTO $tableIPlogger VALUES ('$IP','$Domain','$UserID','$Date')", $link,"1");
		}




if ($x=="2")
{
if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\post".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nPost Value:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
		return $value;
		}





if ($x=="3"){
$error="1";
		echo "You have tried to input a value where there ".$y.". The error was related to the word ".$nameofvar.". Or you have left the space blank.<br>";
		if (!isset($UserID)){
$UserID="0";
}
$Date=date('D, d M Y H:i:s T');
$IP=$_SERVER['REMOTE_ADDR'];
$Domain =$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$myFile = "logs\\invalid".$UserID.".txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Date:=>\"".$Date ."\"\nInvalid Input:=>\"".$nameofvar."\"=>\"".$value."\"\n\\\\\\\\\\Domain:=>\"".$Domain ."\"\n\\\\\\\\\\UserID:=>\"".$UserID ."\"\n\\\\\\\\\\IP:=>\"".$IP ."\"\n\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
		}		
}
else 
{
echo "Syntax checker is not work please contact head admin;";
}
$myFile = "logs\\Poster.txt";
$queryinfo = fopen($myFile, 'a') or die("can't open file");
$stringData = "Name=>".$nameofvar."||||Value=>".$value."||||Type=>".$type."\n";
fwrite($queryinfo, $stringData);
fclose($queryinfo);
/*end write*/
return;
}
?>

Link to comment
https://forums.phpfreaks.com/topic/94935-security/#findComment-486307
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.