I found this code to protect against and stop SQL Injection However I do not know how to use it ...ore where to place it ....? I am looking for something that will prevent or stop SQL Injection into a vBulletin site? I have found many links, BUT TRULY they are discussed and outline for the HACKERS .... NOT a step by step easy guide .... I DO NOT want to learn about SQL Injection, and HOW to hack .... as a newbie like many I am hoping someone will take the time to discuss prevention in a easy guide? http://forums.digitalpoint.com/showthread.php?t=445907 EXAMPLE OF A EASY GUIDE Within vBulletin admincp Styles and templates Search for ?????? code or add code ***** By doing this it will protect you from SQL Injection on your site because you are a beautiful girl ******** Some code I found . <?php function escape(){ $c = func_num_args(); $a = func_get_args(); for($i=0;$i<$c;$i++){ global $$a[$i]; $b = mysql_escape_string($$a[$i]); $$a[$i] = $b; } } /* Example */ $test1 = ")= ()!='=(/%)/'&()¤?&"; $test2 = "'ASDADS\"asd8=/(&%^'AND"; echo "test1 before myqsl_escape_string:" . $test1 ."<br />"; echo "test2 before myqsl_escape_string:" . $test2 ."<br /><br />"; escape('test1','test2'); echo "test1 <b>after</b> myqsl_escape_string:" . $test1 ."<br />"; echo "test2 <b>after</b> myqsl_escape_string:" . $test2 ."<br />"; ?> Code (markup):
within a vBulletin hOW do you use this sir - nico_swd For numeric/integer values: $foo = intval($foo); Code (markup): www.php.net/intval And for any other data: $foo = mysql_real_escape_string($foo); Code (markup): www.php.net/mysql_real_escape_string Do never ever trust the user or think "Nah, they won't do or try this". You can also use preg_* functions to filter the input for what it needs to be. For example if you only want to allow characters from a-z you can do: $foo = preg_replace('/[^a-z]/i', null, $foo); Code (markup): www.php.net/preg_replace Or if you have a select for example, and you want to make sure the submitted value exists in the select, do something like: $allowed_values = array('foo', 'bar', 'etc'); if (!in_array($_POST['select'], $allowed_values)) { // Handle error } Code (markup): I repeat, don't trust anyone. Think about every variable in your query string and make sure the user has no chance to insert something he isn't supposed to. GREAT ADVICE HERE
Before you use given data (data entered by a user) in a query make sure you always mysql_real_escape_string() the data. Most people use stripslashes or strip tags but it isn't secure.
THANK YOU SO MUCH ... this is a start. HOW do I use this ... I would like to do it now ..... My first post I hope I asked the right question. LOCK DOWN, SECURE, STOP SQL Injection, TOTAL, SECURITY?
Good option is this for getting values from Forms <?php function safe($value){ return mysql_real_escape_string($value); } ?> PHP: Then, when I am using my code, I simply use: <?php $name = safe($_POST["name"]); $password = safe($_POST["password"]); ?> PHP: