SQL Injection protected simple registration script? Anybody have it?

anacondaq

New member
Messages
161
Points
0
Emulator
Hercules
Hello guys, i am looking for simple sqlinjection/xss protected registration account php script.

Features what must be:

  • script must be secured
  • script must be easy

 
There are a lot of Firefox and Chrome plugins that might just do that. They are pretty basic at looking for SQL injections on input form. I don't remember any name now but going through their extensions page and looking for xss or injection should give you quiet a list. 

 
You don't need big protection for a RO server: there's no gain for potential hackers so you can just expect to be attacked only from unhappy users, which 99,9% won't know how to bypass basic security measures:

You only need to be concerned about SQL injections (any level) and basic XSS attacks. What's the best thing you can do out there? Sanitize any user input and you're good to go: ensure you got what you expected when the form is sent and you needn't to worry about anything else. Just be paranoid about any user input you get.

PHP already provides the tools you need: use strlen() to ensure all string lengths (user name, password, mail) are in bounds (also check sex length for the account is 1), then use a whitelist of the chars you'd want to insert in your SQL database and check all strings meet that requirements. Here is an example of the character whitelist of Ceres CP (returns TRUE if there's any unallowed character on a string):

function inject($string) { $permitido = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890.@$&-_/§*°ºª"; // allowed characters for ($i=0; $i<strlen($string); $i++) { if (strpos($permitido, substr($string, $i, 1)) === FALSE) return TRUE; } return FALSE;}
You could also sanitize the vars for inserting them into the DB by using functions like mysql_real_escape_string. You should be good to go with the above function, though.

Hope I helped.

 
Last edited by a moderator:
That's a bit harder, but on a registration script you don't need to protect against brute force.

In case you want to protect a login form to brute force attacks you can use sessions in PHP:

// Preceding code here// Let's figure out a failed loggin attempt has just happenedsession_start();$_SESSION['failedlogins']++;if ($_SESSION['failedlogins'] >=3) // We're gonna ban this user for 1 hour$_SESSION['banneduntil'] = time() + 3600;//Some code hereif($_SESSION['banneduntil'] > time()) {$remainder = $_SESSION['banneduntil'] - time();echo "You're banned for attempting a brute force attack. You'll be unbanned in $remainder seconds.";}else { // Not banned// Display login form}//Some more code here...
If my memory isn't failing me, it's like that.

 
how about brute force? did anyone have an idea to prevent for it!
Why not try including CAPTCHA in login forms?
Hi 0x8,

Unfortunately, CAPTCHA can be bypassed now a days. The sessions suggested by jaBote is definitely a good idea to consider.

I didn't know about that until now. Thanks for the info
default_ani_meow.gif


 
What ? Session don't protect from Brute force attack.

Session: give a key stored in a cookie to reference some variables on the server. If you clean cookie (or just don't create it), server will not recognize you.

The best ways I see:

  • Use RECaptcha.
  • Send a mail with a key to confirm registration (avoid getting invalid mail), and maybe checking the mail in a black list.
  • Store IP adress for some times in a database, to block the next registration with the same IP the next time until a specify date.
  • Just chek in your ragnarok database the IP stored in login and login_log to avoid creating an account if the IP is present more than x times.

CRONS:

  • Captcha can be bypass if you pay some guys on china (or somewhere else) to resolve captcha you send to them (but I still recommend RECaptcha it's the best in the market).
  • IP restriction is totally useless in case of proxy or botnet.


Hope it help.

 
Back
Top