BACK TO THE SCRIPT
Get the script from the tutorial link
The script is useful if
-
you want to block some column or table or anything in the query
-
If the query is execute outside of your app like using hacking app eg httpcanary to change the request and response .... if you have the script above is going to stop any injection except if the query is not an injection query but you can block the query if it contain your table name and more...
PDO is good but this is the best for me why?
-
I can run any query without updating the script
-
I dont need to put any query in my script and collect parameter from the user which mean anytime i want to change my query i have to update the script, no way that is not good enough for me , you can use it if you wish.
How to use it
You dont need to worry about the rest of the code.In the variable $YourInjection put all your table name and column name if you dont want a user to run a query that contain your $YouInjection
since am using function in my app then i don't expect any user to run a query containing my table or column name if they know it by chance so am going to put it in there as injection, or can leave it black if you are not using function in your app.
The $Masterkey is use to run your query that contain your injection this is useful if you have an admin app. for instance in the picture above my exception is ( username and password) that my columns name if i want to run a query from my admin app that contain those column name then my query will be
select column_name from tablename $Masterkey
select username from test key
In the query above the script is going to understand the query is from admin that has the masterkey NOTE the key is case sensitive
Also if the query contain other injection the script is going to modifies it such that mysql will give you an error....Have tested it and have done as many sql injection as possible you can also try your luck in the app,
The script will block anything that can cause you to lose your database and of course by using function and regular expression the script will be more secure to block anything.
App : mysqlinjectionApp
-
the script block the query since it contain my column name without the master key
-
the script allow the query since it contain my column name and the master key (key)
-
the script block the query since it contain an injection that makes me lose data
-
the script block the injection query since it contain my column name
-
mysql give an error message on a norm if that type of injection is executed mysql will run it without an error but because of the script it return an error ... .NOTE : i put "key" in the query because it contain my column name without the key access will be denied..
If you are successful running mysql injection kindly reply your query and i will look into it and update the script so the script can be more secure for everyone..
DO YOU PART 2... KINDLY REPLY IF YOU DO (HOW TO STOP USER FROM MANIPULATING RESPONSE )