PHPBuilder - Anti SQL Injection - XSS attacks script



RSS Twitter
Snippets Other

Anti SQL Injection - XSS attacks script

by: Camilo
|
January 13, 2004

Version: 0.2

Type: Function

Category: Other

License: BSD License

Description: Just a little script (Very simple, still very beta but working) that i made to try to prevent SQL Code injection and Cross Site Scripting attacks. What it does is that it takes all the input a form receives via the _REQUEST global var, and examines it, looking for "dangerous" shell metachars, finds them, nukes them, and sends an email to the site admin, with the IP of the offender. Feel free to rip it apart and enhance it!



//This prevents SQL Code injection / XSS Attacks. 

function replace_meta_chars($string){ 
return @eregi_replace("([*])|([|])|([;]|([`])","",$string); 
} 

while(list($keyx,$valuex) = each($_REQUEST)){ 
if(eregi("([*])|([|])|([;])",$valuex)){ 
mail("camilo@cancun.com","Hack Alert","There's been a SQL Injection hacking attempt. $HTTP_REFERRER $REMOTE_ADDR","FROM:core@cancun.com,BCC:bernhardx@cancun.com"); 
} 
} 

reset ($_REQUEST); 
while(list($keyx,$valuex) = each($_REQUEST)){ 
${$keyx} = replace_meta_chars($valuex); 
echo "$keyx $valuex
"; 
} 
//end anti SQL XSS script. 

Note: Initially i used the escapeshellcmd() function, but we discovered it was messing with our e-commerce site, as it nukes EVERY metacharacter, included some that are used in credit card transactions; so i had to develop a little function that only nukes what i tell it to. :)

Comment and Contribute

Your comment has been submitted and is pending approval.

Author:
Camilo

Comment:



Comment:

(Maximum characters: 1200). You have characters left.