Tryptamine
-
Posts
9 -
Joined
-
Last visited
Never
Posts posted by Tryptamine
-
-
Thanks for the quick reply, I tried the new function, but still got the same error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Also that's a good point about the int value, I will try that next.
-
Hello all, I'm attempting to secure a script to prevent against SQL Injections. But for some reason the code I'm using is not correctly escaping malicious characters.
Here's a section of the code I'm using (the beginning) that first pulls the data from the database:
include 'include/dbconnect.php'; include 'include/funcs.php'; if (isset($_GET['gid'])) { $galleryid = cleanvar($_GET['gid']); $sql = "select * from galleries where id = $galleryid"; $result = mysql_query($sql) or die(mysql_error()); if ($row = mysql_fetch_assoc($result)) { $galleryid = $row['id']; $gallerytitle = $row['title'];
the cleanvar function is located in funcs.php, and this is what it looks like:
function cleanvar ($var) { return stripslashes(mysql_real_escape_string($var)); }
magic_quotes_gpc is on, so that is why I added stripslashes, but for some reason whenever I go to the script and attempt to inject into it with a single or double quote, I still get a syntax error, enabling me to successfully inject.
Any ideas?
Thanks in advance!
-
Thanks guys!
-
A tutorial is more than fine, but where's the link? :-\
-
Hello all, I have a script that allows one file to be uploaded at a time, which is all I need. What I am attempting to do is change the filename to a specific filename. So if I uploaded a file called "something.html" it would upload it, but rename it to "somethingelse.txt"
Here's the code I'm using:
<?php Echo "Path where deface page will be uploaded: <p>"; $cd = passthru(pwd); $path = $cd; $target_path = "$path"; do if ($_FILES != null) { $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "<br /><br /><font size=3 face=arial color=white>Success!</font>"; } else{ echo "<br /><br /><font size=3 face=arial color=red>Upload failed. =/ Do you have write access?</font>"; } } while ($_FILES = null); echo "$_FILES"; ?>
Any suggestions?
-
Ahh, I see. Well thank you all for your help and quick replies!
-
I apologize for not posting any of the code; I am not the owner of the forum so I'm not sure if I have permission to give out the code. If you needed though, you could just view the source of each page.
-
Hey all I'm new to these forums, so if I posted this in the wrong forum I apologize.
Anyway, on to the question:
I am a member on a forum and we are having trouble getting a javascript chatbox to work on a specific page. (links at the bottom, and no, I am not trying to advertise the forum. ) On all of the regular forum pages the chatbox works, but when you enter the arcade section of the forum, the chatbox does not appear. Any help or suggestions will be greatly appreciated!
(Chatbox is at the top right)
Link where chatbox works:
http://zelaron.com/forum/forumdisplay.php?f=183
Link where chatbox does not work:
mysql_escape_string and mysql_real_escape_string not working
in PHP Coding Help
Posted
Sorry for double posting but,
Oh my god thank you, the forcing the interger value worked. I've been struggling with this for several hours.
THANK YOU so much.