Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New Coder
    Join Date
    Jun 2010
    Posts
    29
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Want to increase security

    Hey all,

    I was wondering if I could increase security on this webpage. Someone told me the anti-sql injection code was outdated and most probably injectable. This register page is from a developer who left the coding scene. I myself am not good at PHP so I would like to request some help with what I can do to increase security.

    Code:
    Code:
    <?php
    /*
    This script was written by Wizkid.
    All rights reserved. Any support can be requested via RageZone.
    
    You're allowed to edit this script and modify the template.
    However, you are NOT allowed to remove and/or edit my copyright.
    
    Removing this copyright will be your death.
    */
    
    //Edit to fit YOUR requirements.
    $servername = "English GunZ";
    $accounttable = "Account";
    $logintable = "Login";
    
    //Edit these variables. If not, no regpage for you. (Or you're fuxpro with the same logins as me.)
    $host = "hidden";
    $user = "hidden";
    $pass = "hidden";
    $dbname = "GunzDB";
    
    $connect = odbc_connect("Driver={SQL Server};Server={$host}; Database={$dbname}", $user, $pass) or die("Can't connect the MSSQL server.");
    
    //The well-known antisql injection. Bad enough, it's needed.
      function antisql( $sql )
      {
        return( str_replace( "'", "''", $sql ) );
      }
    
    //My favorite function. Get The **** Off. (Nothing personally :].)
    function gtfo($wut) {
    echo "<center><table width='500' cellpadding='5' cellspacing='0' border='0' style='border: 1px ;'>
    <tr>
    <td align=center width='100%' style='border-bottom: 1px solid black;'><b>Error</b></td>
    </tr>
    <tr>
    <td width='100%'><center>$wut</center></td>
    </tr>
    </table>";
    die();
    }
    
    //Check email function. This to prevent fake emails. (Remember the time YOU doing that?)
    function checkemail($address) {
    list($local, $host) = explode("@", $address);
    $pattern_local = "^([0-9a-z]*([-|_]?[0-9a-z]+)*)(([-|_]?)\.([-|_]?)[0-9a-z]*([-|_]?[0-9a-z]+)+)*([-|_]?)$";
    $pattern_host  = "^([0-9a-z]+([-]?[0-9a-z]+)*)(([-]?)\.([-]?)[0-9a-z]*([-]?[0-9a-z]+)+)*\.[a-z]{2,4}$";
    $match_local = eregi($pattern_local, $local);
    $match_host = eregi($pattern_host, $host);
    if($match_local && $match_host) {
    return 1;
    }
    else {
    return 0;
    }
    }
    
    //The num_rows() function for ODBC since the default one always returns -1.
    function num_rows(&$rid) {
    
    //We can try it at least, right?
    $num= odbc_num_rows($rid);
    if ($num >= 0) {
    return $num;
    }
    
    if (!odbc_fetch_row($rid, 1)) {
    odbc_fetch_row($rid, 0);
    return 0;
    }
    
    if (!odbc_fetch_row($rid, 2)) {
    odbc_fetch_row($rid, 0);
    return 1;
    }
    
    $lo= 2;
    $hi= 8192000;
    
    while ($lo < ($hi - 1)) {
    $mid= (int)(($hi + $lo) / 2);
    if (odbc_fetch_row($rid, $mid)) {
    $lo= $mid;
    } else {
    $hi= $mid;
    }
    }
    $num= $lo;
    odbc_fetch_row($rid, 0);
    return $num;
    }
    ?>
    <html>
    <head>
    <title>English GunZ Registration</title>
    </head>
    <body>
    <center>
    <?php
    //Oh well. Let's create the variable $ip to start with.
    $ip = antisql($_SERVER['REMOTE_ADDR']);
    
    /*
    An extra feature. This is NOT enabled before you remove this + the comment thingy's.
    
    To ban 1 IP it will be:
    if ($ip == "xxxxxx")
    {
    gtfo("Your IP is blacklisted.");
    }
    
    For multiple IP's, use this way:
    if ($ip == "xxxxxx" OR $ip == "xxxxxx")
    {
    gtfo("Your IP is blacklisted.");
    }
    */
    
    //Get the AID out of the Login table (defined at the top of this file) where LastIP is the visitors IP.
    $query1 = odbc_exec($connect,"SELECT AID FROM $logintable WHERE LastIP = '$ip'");
    
    //Understable for the real people. Editing this without knowledge will be the death of your regpage.
    $i=1;
    while (odbc_fetch_row($query1, $i)){
    $aid = odbc_result($query1, 'AID');
    
    $query2 = odbc_exec($connect,"SELECT UGradeID FROM $accounttable WHERE AID = '$aid'");
    odbc_fetch_row($query2);
    $ugradeid = odbc_result($query2, 1);
    
    if ($ugradeid == "253")
    {
    //Get the **** off.
    gtfo("You have one or more accounts banned here. You're not welcome anymore.");
    }
    
    $i++;
    }
    
    //The doreg part.
    if (isset($_GET['act']) AND $_GET['act'] == "doreg")
    {
    
    //Check for any ****.
    if (!is_numeric($_POST['age']) OR !checkemail($_POST['email']) OR empty($_POST['username']) OR empty($_POST['password']) OR empty($_POST['email']) OR empty($_POST['name']) OR empty($_POST['age']))
    {
    gtfo("You're not funny.");
    }
    
    //Check if the username exists already.
    $query1 = odbc_exec($connect, "SELECT AID FROM $accounttable WHERE UserID = '" . antisql($_POST['username']) . "'");
    $count1 = num_rows($query1);
    
    if ($count1 >= 1)
    {
    gtfo("Username in use.");
    }
    
    //Check if the Email is in use.
    $query2 = odbc_exec($connect, "SELECT AID FROM $accounttable WHERE Email = '" . antisql($_POST['email']) . "'");
    $count2 = num_rows($query2);
    
    if ($count2 >= 1)
    {
    gtfo("Email address in use.");
    }
    
    //Regdate
    $regdate = date("Y-m-d H:i:s");
    
    //Time for the real work. Editing this will be the end of your regpage.
    $query3 = odbc_exec($connect, "INSERT INTO $accounttable (UserID, UGradeID, PGradeID, RegDate, Email, Age, Name) VALUES ('".antisql($_POST['username'])."', '0', '0', '$regdate', '".antisql($_POST['email'])."', '".antisql($_POST['age'])."', '".antisql($_POST['name'])."')");
    
    $query4 = odbc_exec($connect, "SELECT AID FROM $accounttable WHERE UserID = '" . antisql($_POST['username']) . "'");
    odbc_fetch_row($query4);
    $aid = odbc_result($query4, 1);
    
    //If no results comes back. (Registration failed.)
    if (!$aid)
    {
    gtfo("**** happened. Please report this bug at our forums.");
    }
    
    odbc_exec($connect, "INSERT INTO $logintable (UserID, AID, Password) VALUES ('".antisql($_POST['username'])."', '$aid', '".antisql($_POST['password'])."')");
    
    //When everything is done, show the username/password to the visitor.
    gtfo("Your account has been created.<br><br>
    Username: $_POST[username]<br>
    Password: $_POST[password]<br><br>
    Have fun at $servername!");
    }
    
    //Here the party begins. Feel free to edit this.
    echo "<table width='350'>
    <form action='" . $_SERVER['PHP_SELF'] . "?act=doreg' method='POST'>
    <b>Register an account at $servername.</b><br><br>
    <tr>
    <td width='50%'><b>Username:</b></td>
    <td width='50%'><input type='text' name='username'></td>
    </tr>
    <tr>
    <td width='50%'><b>Password:</b></td>
    <td width='50%'><input type='password' name='password'></td>
    </tr>
    <tr>
    <td width='50%'><b>E-mail:</b></td>
    <td width='50%'><input type='text' name='email'></td>
    </tr>
    <tr>
    <td width='50%'><b>Name:</b></td>
    <td width='50%'><input type='text' name='name'></td>
    </tr>
    <tr>
    <td width='50%'><b>Age:</b></td>
    <td width='50%'><input type='text' name='age'></td>
    </tr>
    <tr>
    <td width='50%'><b></b></td>
    <td width='50%'><input type='submit' value='Register'></td>
    </tr>
    </table>";
    ?>
    <br>
    <!-- No you don't remove it. -->
    <font size="1">Copyright 2011 Wizkid - English GunZ.</font>
    <!-- See? -->
    </center>
    </body>
    </html>
    Any help would greatly be appreciated.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    This code is ancient for sure, you should be looking at a full replacement instead of an increase in necessary security. I raise question to the developer as well; just the comments alone in here lead me to question their professionalism.
    PHP's api is down right now, but I'm quite sure there is a oracle driver for PDO available, which is probably what I'd use over odbc.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •