Home
Portal
Search
Latest images
Register
Log in[Guide]Protecting Your PHP Website FAQs
Page 1 of 1
[Guide]Protecting Your PHP Website FAQs
by Mon Dec 24, 2007 5:23 am
Here is some Easy Ways To protecting Your website .. from Different Type of Security Holes.
A. SQL INJECTIONS
Quote:
B. STOPING OFF DOMAIN TRANSACTIONS
Quote:
C. Adding a Simple Auto File Logger To your Website
This is to catch those hacking attempts on a FILE! The anti Sql
Injector already has it's Own Logging system.. but this is for those
other stuff u want to log. like for example. The Referral Check.
here is the main function for the logger (u need to put this somewer on ur php file a global insert file)
PHP Code:
function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$dtime = date('r');
if($ref == ""){
$ref = "None";
**
if($user == ""){
$user = "None";
**
$location = "/";
$type = $location . $type . ".txt";
$entry_line = "$dtime - IP: $ip | Agent: $agent | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n";
$fp = fopen("$type", "a");
fputs($fp, $entry_line);
fclose($fp);
**
How to Use is like Simple Like this
PHP Code:
filelogs('filename', $additionalinfo, $theusername);
filename = just to separate from one kind of logs to another
$additionalinfo = this is some info u wanna include in the logs like queries or the current referrer's address
$theusername = if u have cookies.. u can put them here.. so ull know who to ban for this acts.
A sample script.. this is combined with the the Referral Filter on B
PHP Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
filelogs('account-creat', $_SERVER['HTTP_REFERER'], $_POST['Member_ID']);
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
A. SQL INJECTIONS
Quote:
| How to Use. 1. download the file , put in the same folder as the php file 2. Below are the how to use.. Put these on the top of the page just after <? PHP Code: require_once "sql_inject.php"; $bDestroy_session = TRUE; $url_redirect = 'index.php'; $sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect); 3. THis is the Sql Injection Checker PHP Code: $sqlinject->test($your_sql_data); Explaination: require_once "sql_inject.php"; < calls the file protector file $bDestroy_session = TRUE; < this stops any session they on $url_redirect = 'index.php'; < if they do a sql injection they are moved to this page $sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ; < this to start the sql injection protection ( also ./log_file_sql.log is the file wer all the attempt are put in.. for u to ban later on ... hehehehhe) $sql_inject->test($your_sql_data); < this is the implementation of the anti sql injector. where $your_sql_data is the mssql query string. Thats my best explaination.. im too lazy now.. if u made it work.. try to explain to the others. Dont pm me about this please.. Additional Info: PHP Code: <? require_once "sql_inject.php"; $bDestroy_session = TRUE; $url_redirect = 'index.php'; $sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect); // some line here // more lines here.. blah blah blah //below is a little trick to do a post variable on this page.. as u can see the post variable login is already been injected with a drop table on memb_info and clevel = 350 $_POST['login'] = "%%'; drop table memb_info ; update character set clevel = 350ere name = '%%"; // this type of sql injection is trying to execute more SQL data // then like any normal page.. u read the $login variable (we can even try to stripslashes it) $login = stripslashes($_POST['login']); //your sql query string [color=DarkRed]$query[/color] = "Select Name From Character where name = '$login'"; //normally you would check $something for sql injection, but in this case, due to the new anti sql injection the entire query string can be analysed.. // to analyse query string we do this $sqlinject->test([color=DarkRed]$query[/color]); //now that we checked it.. we can query it $result = mssql_query([color=DarkRed]$query[/color]); // more lines here.. blah blaah ?> --- above would make a new file in ur folder called. log_file_sql.log make sure u make ur folder writable  --- now i test the sample php file above.. it works like a charm. UPDATE FOR SOME TYPOS! |
B. STOPING OFF DOMAIN TRANSACTIONS
Quote:
| - one of the bigger holes in any website is forms.. cause when u make them.. it doesnt really mean they that way always.. people can just download the form.. edit the action, and send anything they want to your server. This is widely used by the sql injectors. How to Stop. The Idea is On the Other side of ur Forms... U will have Referral Check. Referal Means the last page that was used before the current one. Put this on ur a File Ur targeting as an Action on a form. PHP Code: if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) { die ( 'Hacking attempt. Your are such a Nooby!.. ' ); ** -- above is checking if the last referral was from the http://www.supamu.info domain. if not it stop the entire page from loading any further. wat u can also do is add a logging system to this, which ill do in the next tutorial. |
C. Adding a Simple Auto File Logger To your Website
This is to catch those hacking attempts on a FILE! The anti Sql
Injector already has it's Own Logging system.. but this is for those
other stuff u want to log. like for example. The Referral Check.
here is the main function for the logger (u need to put this somewer on ur php file a global insert file)
PHP Code:
function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$dtime = date('r');
if($ref == ""){
$ref = "None";
**
if($user == ""){
$user = "None";
**
$location = "/";
$type = $location . $type . ".txt";
$entry_line = "$dtime - IP: $ip | Agent: $agent | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n";
$fp = fopen("$type", "a");
fputs($fp, $entry_line);
fclose($fp);
**
How to Use is like Simple Like this
PHP Code:
filelogs('filename', $additionalinfo, $theusername);
filename = just to separate from one kind of logs to another
$additionalinfo = this is some info u wanna include in the logs like queries or the current referrer's address
$theusername = if u have cookies.. u can put them here.. so ull know who to ban for this acts.
A sample script.. this is combined with the the Referral Filter on B
PHP Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
filelogs('account-creat', $_SERVER['HTTP_REFERER'], $_POST['Member_ID']);
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
**
- Favourite Game : MuOnline
Registration date : 1969-12-31
Similar topics» [Guide] To Fix Damage From Sql Injections On Website !
» [Guide] How to setup MuServer 97d+99 (Website included)
» [Guide] To Make 97d+99items Server + Website
» [Guide] Guide for Dummies/Noobs on server setup
» [Guide] Thorough Guide to Making 1.00L Server [ Router ]
» [Guide] How to setup MuServer 97d+99 (Website included)
» [Guide] To Make 97d+99items Server + Website
» [Guide] Guide for Dummies/Noobs on server setup
» [Guide] Thorough Guide to Making 1.00L Server [ Router ]
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum