PHP / SQL data protection – anti SQL-Injection function

By Zilli,

SQL Injection

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.

SQL Injection Based on 1=1 is Always True
Look at the example above, one more time.
Let’s say that the original purpose of the code was to create an SQL statement to select a user with a given user id.
If there is nothing to prevent a user from entering “wrong” input, the user can enter some “smart” input like this:

UserId:

How to protect

PHP functions

The function

//Blind SQL-INJECTION Escape sequence. Line codes anti SQL-Injection
function anti_injection($input){
$clean=strip_tags(addslashes(trim($input)));
$clean=str_replace('"','\"',$clean);
$clean=str_replace(';','\;',$clean);
$clean=str_replace('--','\--',$clean);
$clean=str_replace('+','\+',$clean);
$clean=str_replace('(','\(',$clean);
$clean=str_replace(')','\)',$clean);
$clean=str_replace('=','\=',$clean);
$clean=str_replace('>','\>',$clean);
$clean=str_replace('<','\<',$clean);
return $clean;
}

How to use

$id=$_GET['id'];
$id_clean=anti_injection($id);

Hide email headers in Postfix

By Zilli,

Write this code in /etc/postfix/header_checks

/^Received:/                    IGNORE
/^X-PHP-Originating-Script:/    IGNORE
/^X-Originating-IP:/            IGNORE
/^X-Mailer:/                    IGNORE
/^Mime-Version:/                IGNORE

Apache – mod_rewrite rules

By Zilli,

Examples to configure rewrite rules in .htaccess file:
http://yourdomain.com/test

RewriteEngine On
RewriteRule ^test/?$ /testpage.php [L,NC]


Rewrite localization url with $_GET[‘lang’] variable
http://yourdomain.com/english

RewriteEngine On
RewriteRule ^(.*)/$ /$1 [R=permanent]
RewriteRule ^([a-z]{2})$ /index.php?lang=$1


Redirect 301

http://www.yourdomain.com/ to http://yourdomain.com/

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]

Enable spotlight indexing on a AFP network drive

By Zilli,

Indexing of an AFP-network drive isn’t a problem:

To enable spotlight indexing on a network drive open Terminal.app and enter:
mdutil /Volumes/name -i on

To disable the indexing of a connected network drive:
mdutil /Volumes/name -i off

To check the status of indexing on a connected network drive:
mdutil /Volumes/name -s
ita
china

  Category: OS
  Comments: None

OS X Ripristino password Admin

By Zilli,

Avvia il Mac in modalità utente singolo tenendo premuti i tasti Command+S (o Mela+S che dir si voglia) finché non compaiono delle scritte sul terminale, digita:

$ fsck -fy 
$ mount -uw /
$ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
$ dscl . -passwd /Users/username password

nomeutente è il vero nome utente (quello che sarebbe riportato vicino alla “casetta” per intenderci) e password la nuova password che vuoi impostare.
Se non conosci il nome utente di un account amministratore ti basterà digitare more /etc/passwd per visualizzare il file dove sono memorizzati tutti gli utenti presenti nel sistema. Noterai il tipo di privilegio dell’utente nella quinta colonna. Potresti inoltre cambiare direttamente la password dell’utente root (che sui sistemi Unix rappresenta il superuser del sistema e quindi con accesso totale).
Riavvia infine il sistema tenendo premuto il pulsante di accensione

  Category: OS
  Comments: None