Smruthi Posted May 28, 2008 Share Posted May 28, 2008 Hi All, I am in need of an urgent help. One of the companies puting a court case against me saying the following code i wrote in 2006 was the ONLY reason for server crash with another 194 sites in the same server. The following was the code i wrote --------------------------------------------------------------------------------------------------------------------------------------------------- function update_region($id,$regname,$regcom) { $query = "UPDATE region_mast SET region_name = '". $regname."',region_comments = '". $regcom."' WHERE region_id =" .$id; mysql_query($query); ... --------------------------------------------------------------------------------------------------------------------------------------------------- and they say the following way i should have written the code and it would have been 100% safe from SQL injection attacks. Is their claim correct ? ---------------------------------------------------------------------------------------------------------------------------------------------------- function update_region($id,$regname,$regcom) { $id = intval($id); $locname = mysql_escape_string($locname); $loccom = mysql_escape_string($loccom ); $query = "UPDATE location_mast SET location_name = '". $locname."',location_comments = '". $loccom."' WHERE location_id =" .$id; mysql_query($query); ... --------------------------------------------------------------------------------------------------------------------------------------------------- I deeply appreciate your quick advise. Best Regards Smruthi Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/ Share on other sites More sharing options...
discomatt Posted May 28, 2008 Share Posted May 28, 2008 Was REGISTER_GLOBALS on? If you're inserting data from an outside, untrusted source, then yes, that code is vulnerable. Are you entirely responsible for what happened? I don't think so. The server could've restricted mysql_ functions and only allowed the mysqli_ functions (which has internal escaping, if i remember correctly) I'm not exactly sure how injected MySQL code can take down a well designed shared server... there should've been fail-safes in place to prevent a single shared user from using too many resources or gaining access to any data outside of their usr directory. Sounds like a useless host trying to throw the blame. They're not responsible for the data YOU lost, but they are for the data the other customers have lost. Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/#findComment-551934 Share on other sites More sharing options...
Xurion Posted May 28, 2008 Share Posted May 28, 2008 Yeah like discomatt said, your code isn't intentionally vunerable. We would have to see more of the code. How do you set your $id, $regname and $regcom variables? Did you write the function like so: $id=$_POST['id']; $regname=$_POST['regname']; $regcom=$_POST['regcom']; update_region($id,$regname,$regcom) If you did then yea, SQL injection would have been possible. If you wrote this in 2006 then the addslashes function was available for use and I guess they could have a case against you. I guess it depends on how involved you were, what the overall job was, were u part of a team or individual, and what kind of loss did the company suffer as a result of the crashed server? Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/#findComment-551937 Share on other sites More sharing options...
discomatt Posted May 28, 2008 Share Posted May 28, 2008 Even then, a hosting company is responsible for protecting its customers. If someone upload malicious code, it should only affect THAT user... otherwise there's a hole on THEIR SIDE. Allowing a user to crash a server is a MAJOR no-no in a shared hosting environment. Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/#findComment-551945 Share on other sites More sharing options...
ILYAS415 Posted May 28, 2008 Share Posted May 28, 2008 I personally believe it depends on where the function was run. If normal guests/members of the site were able to do it then thats something. But if only administrators were able to do it then it would kind of be the administrators problem because there the one inserting malicious coe (whether by accident or on purpose). Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/#findComment-551971 Share on other sites More sharing options...
Xurion Posted May 29, 2008 Share Posted May 29, 2008 An analogy would be like so: You pay a guy to fit you some new windows. The next day a criminal breaks into your home through the new windows. Who would the victim press charges against? The criminal or the window fitter? And yes, discomatt is correct again, it really depends upon the server security that the hosting company have in place. Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/#findComment-552371 Share on other sites More sharing options...
Smruthi Posted May 30, 2008 Author Share Posted May 30, 2008 Hi All, Thank you so much for your kindness to respond to my post and it really reduced some of my head ache... I may have some more doubts in this regard which i will post soon. Kind Regards Smruthi Link to comment https://forums.phpfreaks.com/topic/107673-php-code-help-needed/#findComment-553445 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.