Jump to content
  • 0
Sign in to follow this  
anacondaq

SQL Injection protected simple registration script? Anybody have it?

Question

Hello guys, i am looking for simple sqlinjection/xss protected registration account php script.

 

Features what must be:

  • script must be secured
  • script must be easy

Share this post


Link to post
Share on other sites

11 answers to this question

Recommended Posts

  • 0

There are a lot of Firefox and Chrome plugins that might just do that. They are pretty basic at looking for SQL injections on input form. I don't remember any name now but going through their extensions page and looking for xss or injection should give you quiet a list. 

Share this post


Link to post
Share on other sites
  • 0

You don't need big protection for a RO server: there's no gain for potential hackers so you can just expect to be attacked only from unhappy users, which 99,9% won't know how to bypass basic security measures:

 

You only need to be concerned about SQL injections (any level) and basic XSS attacks. What's the best thing you can do out there? Sanitize any user input and you're good to go: ensure you got what you expected when the form is sent and you needn't to worry about anything else. Just be paranoid about any user input you get.

 

PHP already provides the tools you need: use strlen() to ensure all string lengths (user name, password, mail) are in bounds (also check sex length for the account is 1), then use a whitelist of the chars you'd want to insert in your SQL database and check all strings meet that requirements. Here is an example of the character whitelist of Ceres CP (returns TRUE if there's any unallowed character on a string):

function inject($string) {	$permitido = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890.@$&-_/§*°ºª"; // allowed characters	for ($i=0; $i<strlen($string); $i++) {		if (strpos($permitido, substr($string, $i, 1)) === FALSE) return TRUE;	}	return FALSE;}

You could also sanitize the vars for inserting them into the DB by using functions like mysql_real_escape_string. You should be good to go with the above function, though.

 

Hope I helped.

Share this post


Link to post
Share on other sites
  • 0

That's a bit harder, but on a registration script you don't need to protect against brute force.

 

In case you want to protect a login form to brute force attacks you can use sessions in PHP:

// Preceding code here// Let's figure out a failed loggin attempt has just happenedsession_start();$_SESSION['failedlogins']++;if ($_SESSION['failedlogins'] >=3) // We're gonna ban this user for 1 hour$_SESSION['banneduntil'] = time() + 3600;//Some code hereif($_SESSION['banneduntil'] > time()) {$remainder = $_SESSION['banneduntil'] - time();echo "You're banned for attempting a brute force attack. You'll be unbanned in $remainder seconds.";}else { // Not banned// Display login form}//Some more code here...

If my memory isn't failing me, it's like that.

Share this post


Link to post
Share on other sites
  • 0

how about brute force? did anyone have an idea to prevent for it!

 

Why not try including CAPTCHA in login forms?

Share this post


Link to post
Share on other sites
  • 0

 

how about brute force? did anyone have an idea to prevent for it!

 

Why not try including CAPTCHA in login forms?

Hi 0x8,

 

Unfortunately, CAPTCHA can be bypassed now a days. The sessions suggested by jaBote is definitely a good idea to consider.

Share this post


Link to post
Share on other sites
  • 0

 

 

how about brute force? did anyone have an idea to prevent for it!

 

Why not try including CAPTCHA in login forms?

Hi 0x8,

 

Unfortunately, CAPTCHA can be bypassed now a days. The sessions suggested by jaBote is definitely a good idea to consider.

 

 

I didn't know about that until now. Thanks for the info :meow:

Share this post


Link to post
Share on other sites
  • 0

What ? Session don't protect from Brute force attack.

 

Session: give a key stored in a cookie to reference some variables on the server. If you clean cookie (or just don't create it), server will not recognize you.

 

The best ways I see:

  • Use RECaptcha.
  • Send a mail with a key to confirm registration (avoid getting invalid mail), and maybe checking the mail in a black list.
  • Store IP adress for some times in a database, to block the next registration with the same IP the next time until a specify date.
  • Just chek in your ragnarok database the IP stored in login and login_log to avoid creating an account if the IP is present more than x times.

CRONS:

  • Captcha can be bypass if you pay some guys on china (or somewhere else) to resolve captcha you send to them (but I still recommend RECaptcha it's the best in the market).
  • IP restriction is totally useless in case of proxy or botnet.

 

Hope it help.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.