On Fri, 2009-03-20 at 18:57 -0500, Shawn McKenzie wrote:
<דניאל דנון wrote:
> > I'm a member of some forums about some topics,
> > One of them include a programming forum.
> >
> > Now, I've visited there a week ago and saw a topic with the title "Free
> > security",
> > Someone who calls himself a PHP expert (and said that he could teach me PHP
> > since my level is so low), and pretends to have so many clients,
> > Posted the following code.
> >
> > The code is written badly, and in his words - "its the best security,
> > without this you aren't secured".
> > Now, I am looking for a way to explain to him he is no PHP Professional, but
> > I can't find the right sentence. Will you help me?
> > And here is the code of the so-called "PHP Professional" who has "very large
> > amount of big clients" and "can teach me PHP".
> > Help me find something to say to him - I am not so good at that kind of
> > stuff
> >
> > Kind regards,
> > Daniel
> >
> >
> > *<?
> > #######################################
> > ## aNtisQL by Moriel Pahima.
> > #######################################
> > $getadd=strtolower($_SERVER[REQUEST_URI]);
> > $adr1 = $getadd;
> > $adr2x = explode("?",$adr1);
> > $adr = $adr1;
> > foreach( $_POST as $post => $value )
> > $postcc.="$post => $value\n";
> > foreach ( $_COOKIE as $cook => $value )
> > $cookiecc.="$cook => $value\n";
> > foreach ( $_GET as $get => $value )
> > $getcc.="$get => $value\n";
> > #######################################
> > check($adr1);
> > check($postcc);
> > check($getcc);
> > check($cookiecc);
> > function check($antisql){
> > if (
> > eregi("union",$antisql)&&eregi("from",$antisql)
> > Or
> > eregi("ibf_",$antisql)&&eregi("select",$antisql)
> > Or
> > eregi("insert",$antisql)&&eregi("order",$antisql)
> > Or
> > eregi("update",$antisql)&&eregi("where",$antisql)
> > Or
> > eregi("`",$antisql)&&eregi("truncate",$antisql)
> > Or
> > eregi("null",$antisql)&&eregi("alter",$antisql)
> > ){
> > errorview();
> > }
> > if (
> > eregi(h3x("union"),$antisql)&&eregi(h3x("from"),$antisql)
> > Or
> > eregi(h3x("ibf_"),$antisql)&&eregi(h3x("select"),$antisql)
> > Or
> > eregi(h3x("insert"),$antisql)&&eregi(h3x("order"),$antisql)
> > Or
> > eregi(h3x("update"),$antisql)&&eregi(h3x("where"),$antisql)
> > Or
> > eregi(h3x("`"),$antisql)&&eregi(h3x("truncate"),$antisql)
> > Or
> > eregi(h3x("null"),$antisql)&&eregi(h3x("alter"),$antisql)
> > ){
> > errorview();
> > }
> > if (
> > eregi(h3x("UNION"),$antisql)&&eregi(h3x("FROM"),$antisql)
> > Or
> > eregi(h3x("IBF_"),$antisql)&&eregi(h3x("SELECT"),$antisql)
> > Or
> > eregi(h3x("INSERT"),$antisql)&&eregi(h3x("ORDER"),$antisql)
> > Or
> > eregi(h3x("UPDATE"),$antisql)&&eregi(h3x("WHERE"),$antisql)
> > Or
> > eregi(h3x("`"),$antisql)&&eregi(h3x("TRUNCATE"),$antisql)
> > Or
> > eregi(h3x("NULL"),$antisql)&&eregi(h3x("ALTER"),$antisql)
> > ){
> > errorview();
> > }
> > }
> > #######################################
> > ## All Rights Reserved!
> > #######################################
> > function errorview(){
> > echo <<<antisql
> > <center>
> > aNtisQL ANTI SQL-INJECTION SYSTEM <br />
> > by <a href="mailto:
> > hidden-since-i-dont-want-to-show-it-on-php-mailinglist
> > ">Moriel Pahima</a>
> > </center>
> > antisql;
> > die();
> > }
> > #######################################
> > function h3x($envar){
> > $hax3d = bin2hex($envar);
> > $hax3d = chunk_split($hax3d , 2, "%");
> > $hax3d = "%" . substr($hax3d , 0, strlen($hax3d ) - 1);
> > return $hax3d;
> > }
> > ?>*
> >
>
> Tell him that the PHP experts and me (PHP hobbyist) on this list won't
> even pick through his code because it is a garbled mass of shit!
>
> Maybe someone else will disagree and say that its a masterpiece, then
> I'll bow out gracefully.
>
> --
> Thanks!
> -Shawn
> http://www.spidean.com
>
Nah, the GMS managed to pretty much cover it!
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
