Estimado veditio,
you wrote:
> I've got a ton of forms that use the $_POST variable to send
> information into the database [...]
> Any suggestions on how to tighten up the form security, or does
> magic_quotes help enough?
I'm not a security expert but after some attacks I have implemented
this simple thing. Until today it works for me.
You can put it before be connected to your database. I have one
only script to connect my database placed outside the /public_html.
It is and requested by means one include() in every oho script.
In this way, this security works in the whole site.
<?
$req = $_SERVER['REQUEST_URI'];
$cadena = explode("?", $req);
$mi_url = $cadena[0];
$resto = $cadena[1];
// here you can put your suspicions chains at will. Just be careful with
// the names of your variables passing by you URLs
$inyecc='/script|http|<|>|%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i';
...etc
// detecting
if (preg_match($inyecc, $resto)) {
// make something, in example sending an e-mail alert
$ip = $HTTP_SERVER_VARS["HTTP_CLIENT_IP"];
$forwarded = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];
$remoteaddress = $HTTP_SERVER_VARS["REMOTE_ADDR"];
$message = "attack injection in $mi_url \n\nchain: $resto \n\n
from: (ip-forw-RA):- $ip - $forwarded - $remoteaddress\n\n
--------- end --------------------";
mail("[EMAIL PROTECTED]", "Attack injection", $message,
"From: [EMAIL PROTECTED]'SERVER_NAME']}", "[EMAIL
PROTECTED]'SERVER_NAME']}");
// kill execution
echo 'illegal url';
die();
}
// DB connection
$connection=mysql_connect(... etc.
?>
if you can encode this script with Zend Encoder or a similar thing.
It will be an additional measure to avoid the reading of this file.
hope it can be useful,
Vicente,
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
