Version: 0.2
Type: Function
Category: Other
License: BSD License
Description: Just a little script (Very simple, still very beta but working) that i made to try to prevent SQL Code injection and Cross Site Scripting attacks. What it does is that it takes all the input a form receives via the _REQUEST global var, and examines it, looking for “dangerous” shell metachars, finds them, nukes them, and sends an email to the site admin, with the IP of the offender.
Feel free to rip it apart and enhance it!
//This prevents SQL Code injection / XSS Attacks.
function replace_meta_chars($string){
return @eregi_replace("([*])|([|])|([;]|([`])","",$string);
}
while(list($keyx,$valuex) = each($_REQUEST)){
if(eregi("([*])|([|])|([;])",$valuex)){
mail("[email protected]","Hack Alert","There's been a SQL Injection hacking attempt. $HTTP_REFERRER $REMOTE_ADDR","FROM:[email protected],BCC:[email protected]");
}
}
reset ($_REQUEST);
while(list($keyx,$valuex) = each($_REQUEST)){
${$keyx} = replace_meta_chars($valuex);
echo "$keyx $valuex
";
}
//end anti SQL XSS script.
Note: Initially i used the escapeshellcmd() function, but we discovered it was messing with our e-commerce site, as it nukes EVERY metacharacter, included some that are used in credit card transactions; so i had to develop a little function that only nukes what i tell it to. :)
