דניאל דנון wrote:
> I'm a member of some forums about some topics,
> One of them include a programming forum.
>
> Now, I've visited there a week ago and saw a topic with the title "Free
> security",
> Someone who calls himself a PHP expert (and said that he could teach me PHP
> since my level is so low), and pretends to have so many clients,
> Posted the following code.
>
> The code is written badly, and in his words - "its the best security,
> without this you aren't secured".
> Now, I am looking for a way to explain to him he is no PHP Professional, but
> I can't find the right sentence. Will you help me?
> And here is the code of the so-called "PHP Professional" who has "very large
> amount of big clients" and "can teach me PHP".
> Help me find something to say to him - I am not so good at that kind of
> stuff
>
> Kind regards,
> Daniel
>
>
> *<?
> #######################################
> ## aNtisQL by Moriel Pahima.
> #######################################
> $getadd=strtolower($_SERVER[REQUEST_URI]);
> $adr1 = $getadd;
> $adr2x = explode("?",$adr1);
> $adr = $adr1;
> foreach( $_POST as $post => $value )
> $postcc.="$post => $value\n";
> foreach ( $_COOKIE as $cook => $value )
> $cookiecc.="$cook => $value\n";
> foreach ( $_GET as $get => $value )
> $getcc.="$get => $value\n";
> #######################################
> check($adr1);
> check($postcc);
> check($getcc);
> check($cookiecc);
> function check($antisql){
> if (
> eregi("union",$antisql)&&eregi("from",$antisql)
> Or
> eregi("ibf_",$antisql)&&eregi("select",$antisql)
> Or
> eregi("insert",$antisql)&&eregi("order",$antisql)
> Or
> eregi("update",$antisql)&&eregi("where",$antisql)
> Or
> eregi("`",$antisql)&&eregi("truncate",$antisql)
> Or
> eregi("null",$antisql)&&eregi("alter",$antisql)
> ){
> errorview();
> }
> if (
> eregi(h3x("union"),$antisql)&&eregi(h3x("from"),$antisql)
> Or
> eregi(h3x("ibf_"),$antisql)&&eregi(h3x("select"),$antisql)
> Or
> eregi(h3x("insert"),$antisql)&&eregi(h3x("order"),$antisql)
> Or
> eregi(h3x("update"),$antisql)&&eregi(h3x("where"),$antisql)
> Or
> eregi(h3x("`"),$antisql)&&eregi(h3x("truncate"),$antisql)
> Or
> eregi(h3x("null"),$antisql)&&eregi(h3x("alter"),$antisql)
> ){
> errorview();
> }
> if (
> eregi(h3x("UNION"),$antisql)&&eregi(h3x("FROM"),$antisql)
> Or
> eregi(h3x("IBF_"),$antisql)&&eregi(h3x("SELECT"),$antisql)
> Or
> eregi(h3x("INSERT"),$antisql)&&eregi(h3x("ORDER"),$antisql)
> Or
> eregi(h3x("UPDATE"),$antisql)&&eregi(h3x("WHERE"),$antisql)
> Or
> eregi(h3x("`"),$antisql)&&eregi(h3x("TRUNCATE"),$antisql)
> Or
> eregi(h3x("NULL"),$antisql)&&eregi(h3x("ALTER"),$antisql)
> ){
> errorview();
> }
> }
> #######################################
> ## All Rights Reserved!
> #######################################
> function errorview(){
> echo <<<antisql
> <center>
> aNtisQL ANTI SQL-INJECTION SYSTEM <br />
> by <a href="mailto:
> hidden-since-i-dont-want-to-show-it-on-php-mailinglist
> ">Moriel Pahima</a>
> </center>
> antisql;
> die();
> }
> #######################################
> function h3x($envar){
> $hax3d = bin2hex($envar);
> $hax3d = chunk_split($hax3d , 2, "%");
> $hax3d = "%" . substr($hax3d , 0, strlen($hax3d ) - 1);
> return $hax3d;
> }
> ?>*
>
Tell him that the PHP experts and me (PHP hobbyist) on this list won't
even pick through his code because it is a garbled mass of shit!
Maybe someone else will disagree and say that its a masterpiece, then
I'll bow out gracefully.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
