I'm a member of some forums about some topics,
One of them include a programming forum.
Now, I've visited there a week ago and saw a topic with the title "Free
security",
Someone who calls himself a PHP expert (and said that he could teach me PHP
since my level is so low), and pretends to have so many clients,
Posted the following code.
The code is written badly, and in his words - "its the best security,
without this you aren't secured".
Now, I am looking for a way to explain to him he is no PHP Professional, but
I can't find the right sentence. Will you help me?
And here is the code of the so-called "PHP Professional" who has "very large
amount of big clients" and "can teach me PHP".
Help me find something to say to him - I am not so good at that kind of
stuff
Kind regards,
Daniel
*<?
#######################################
## aNtisQL by Moriel Pahima.
#######################################
$getadd=strtolower($_SERVER[REQUEST_URI]);
$adr1 = $getadd;
$adr2x = explode("?",$adr1);
$adr = $adr1;
foreach( $_POST as $post => $value )
$postcc.="$post => $value\n";
foreach ( $_COOKIE as $cook => $value )
$cookiecc.="$cook => $value\n";
foreach ( $_GET as $get => $value )
$getcc.="$get => $value\n";
#######################################
check($adr1);
check($postcc);
check($getcc);
check($cookiecc);
function check($antisql){
if (
eregi("union",$antisql)&&eregi("from",$antisql)
Or
eregi("ibf_",$antisql)&&eregi("select",$antisql)
Or
eregi("insert",$antisql)&&eregi("order",$antisql)
Or
eregi("update",$antisql)&&eregi("where",$antisql)
Or
eregi("`",$antisql)&&eregi("truncate",$antisql)
Or
eregi("null",$antisql)&&eregi("alter",$antisql)
){
errorview();
}
if (
eregi(h3x("union"),$antisql)&&eregi(h3x("from"),$antisql)
Or
eregi(h3x("ibf_"),$antisql)&&eregi(h3x("select"),$antisql)
Or
eregi(h3x("insert"),$antisql)&&eregi(h3x("order"),$antisql)
Or
eregi(h3x("update"),$antisql)&&eregi(h3x("where"),$antisql)
Or
eregi(h3x("`"),$antisql)&&eregi(h3x("truncate"),$antisql)
Or
eregi(h3x("null"),$antisql)&&eregi(h3x("alter"),$antisql)
){
errorview();
}
if (
eregi(h3x("UNION"),$antisql)&&eregi(h3x("FROM"),$antisql)
Or
eregi(h3x("IBF_"),$antisql)&&eregi(h3x("SELECT"),$antisql)
Or
eregi(h3x("INSERT"),$antisql)&&eregi(h3x("ORDER"),$antisql)
Or
eregi(h3x("UPDATE"),$antisql)&&eregi(h3x("WHERE"),$antisql)
Or
eregi(h3x("`"),$antisql)&&eregi(h3x("TRUNCATE"),$antisql)
Or
eregi(h3x("NULL"),$antisql)&&eregi(h3x("ALTER"),$antisql)
){
errorview();
}
}
#######################################
## All Rights Reserved!
#######################################
function errorview(){
echo <<<antisql
<center>
aNtisQL ANTI SQL-INJECTION SYSTEM <br />
by <a href="mailto:
hidden-since-i-dont-want-to-show-it-on-php-mailinglist
">Moriel Pahima</a>
</center>
antisql;
die();
}
#######################################
function h3x($envar){
$hax3d = bin2hex($envar);
$hax3d = chunk_split($hax3d , 2, "%");
$hax3d = "%" . substr($hax3d , 0, strlen($hax3d ) - 1);
return $hax3d;
}
?>*
