darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 no that would not work actually Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 What about this? Of course I would include the function.php fille. $variable=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['variable']))); Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 yes that would work if you replaced variable with all the variables that are infected Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 I was going to add that function to all the variables on all 3 pages...is that okay? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 sure Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 I added the function.php file (RemoveXSS script) and fixed insert.php. Would you mind checking that, and if that works I will add it to the other pages. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 nope still injecting :-X Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 This is the current code for insert.php, do you see anything wrong with it? <?php include("../Login/include/session.php");?> <?php include("../Login/function.php");?> <?php $username="***"; $password="***"; $database="***"; $coach="$user"; $first=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['first'])))); $last=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['last'])))); $title=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['title'])) $college=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['college'])))); $division=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['division'])))); $phone=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['phone'])))); $cell=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['cell'])))); $email=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['email'])))); mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO coach (id, first, last, title, college, division, phone, cell, email) VALUES ('','$first','$last','$title','$college','$division','$phone','$cell','$email')"; mysql_query($query); mysql_close(); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 <?php include("../Login/include/session.php");?> <?php include("../Login/function.php");?> <?php $username="***"; $password="***"; $database="***"; $coach="$user"; $first=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['first'])))); $last=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['last'])))); $title=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['title'])) $college=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['college'])))); $division=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['division'])))); $phone=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['phone'])))); $cell=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['cell'])))); $email=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['email'])))); mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); if(!empty($first)||!empty($last)||!empty($title)||!empty($college)||!empty($division)||!empty($phone)||!empty($cell)||!empty($email)){ $query = "INSERT INTO coach (id, first, last, title, college, division, phone, cell, email) VALUES ('','$first','$last','$title','$college','$division','$phone','$cell','$email')"; mysql_query($query); } else{ echo "please go back and fill out the form";} mysql_close(); ?> Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Fixed that on insert.php. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 Parse error: syntax error, unexpected T_VARIABLE in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/insert.php on line 13 and you wonder why your function isnt working but i noticed $title=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['title'])) should be: $title=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['title'])); that should fix insert.php also you have a problem with your admin.php can you post code for that? :-\ Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 actually its also missing a close paren should actually be: $title=RemoveXSS(trim(strip_tags(mysql_real_escape_string($_POST['title']))); Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 Don't worry about admin.php, no one will be able to get on it, I'm going to secure that. (It's actually someone else's script, and I just edited the database info.) But, I'm pretty sure its 4 closed paran not just 3 for insert.php, regardless I fixed that, and uploaded it to the server. Can you check that hopefully one last time? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 30, 2008 Share Posted August 30, 2008 its not a security issue bud its a code issue its got pHP errors all over Link to comment Share on other sites More sharing options...
darkfreaks Posted August 30, 2008 Share Posted August 30, 2008 1.) it does not work 2.) your include path isnt correct and gives " not found" errors Try changing your includes <?php include("Login/include/session.php");?> <?php include("Login/function.php");?> Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 Yeah, sorry, I messed up some of the code with all the editing, I apologize. I tested it and it works, could you try one more time for vulnerabilities on insert.php? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 30, 2008 Share Posted August 30, 2008 it fully works now good job anyhow admin.php needs to be fixed with mysql_num_rows() can u paste the code? Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 It's pretty big but here is admin.php...I didn't make this, so you will have to help me out quite a bit probably. <?php /* Author - Ofri Markus Date - 3/12/03 This is a generic script to view and modify mysql databases. All you need to do to use this script is: 1. Put it in your site, and call the file "admin.php". 2. Fill in the connection details on the first line, replace DB_USER AND DB_PASSWORD. 3. Fill in the database name on 2 lines, replace DB_NAME. The advantage of this script is that is you don't need to modify it to your own scheme. it will work on any scheme. I would be happy to receive comments and improved versions of this script to: markus_ofri@hotmail.com Enjoy! */ // Initial connection to the database $database = mysql_connect("localhost", "***", "****"); mysql_select_db("****"); // Because the first time we enter the site we have'nt selected // a table to view we init the number of rows in the current table $rowNum=0; ?> <html> <body bgcolor="#ffffff"> <?php // Get the data of the tables on the scheme $result = mysql_list_tables ("****"); $i=0; while ($i < mysql_num_rows ($result)) { $tb_names[$i] = mysql_tablename ($result, $i);$i++; } // Check if we got here after pressing submit on the page if (isset($_POST['submit'])) { // If we did press the submit button, we sould view the table that was on the select // box $submit=$_POST['submit']; $table=$_POST['table']; } else { // If we didn't get here after pressing the submit button, check if we already // viewed one of the tables (and saved it's name on the hidden field hidtable if (isset($_POST['hidtable'])) { $table = $_POST['hidtable']; } else { $table="<i>not selected</i>";$xnum=0; } } ?> <center> <form name=ff method=post action="/admin.php"> <b>Select table</b>:<select name="table"> <?php for($x=0;$x<$i;$x++) {?> <option value="<? echo $tb_names[$x];?>" <? if (isset($table) && $table==$tb_names[$x]) {echo " selected ";} ?>><? echo $tb_names[$x];?></option> <?php }?> </select> <input type="submit" name="submit" value="submit"> <?php // Check if we pressed the submit button and if we did - fetch the table data if(isset($submit) || isset($_POST['hidtable'])){ $SQL="SELECT * FROM hidtable"; $result = mysql_query($SQL); // Read all the data in the table for ($j = 0; $j<$rowNum; ++$j) { $row = mysql_fetch_array($result); $currTable[$j]=$row; } } ?> <p> </p> <br> <?php // Check to see if there was an update to a row for ($j = 0; $j<$rowNum; ++$j) { if (isset($_POST["update".$j])) { // Make an sql update query echo "<center>There was an update to row $j</center>"; $sql="update $table set "; for ($i = 0; $i < $xnum; ++$i) { if ($numeric[$i]==1) { $sql.=$name[$i]."=".$_POST["$name[$i]".$j]." "; } else { $sql.=$name[$i]."='".$_POST["$name[$i]".$j]."' "; } if ($i != $xnum-1) {$sql.=",";} } $sql.="WHERE "; $notFirstKey = 0; for ($i = 0; $i < $xnum; ++$i) { if ($key[$i]==1) { if ($notFirstKey == 0) {$notFirstKey=1;} else {$sql.=" AND ";} $sql.=$name[$i]."=".$currTable[$j][$i]; } } if ($notFirstKey == 0) { echo "Table does not have a primary key, not doing anything"; } else { echo $sql; $result = mysql_query($sql); } } } // Check to see if there was a delete to a row for ($j = 0; $j<$rowNum; ++$j) { if (isset($_POST["delete".$j])) { echo "<center>There was an delete to row $j</center>"; $sql="delete from $table "; $sql.="WHERE "; $notFirstKey = 0; for ($i = 0; $i < $xnum; ++$i) { if ($key[$i]==1) { if ($notFirstKey == 0) {$notFirstKey=1;} else {$sql.=" AND ";} $sql.=$name[$i]."=".$currTable[$j][$i]; } } if ($notFirstKey == 0) { echo "Table does not have a primary key, not doing anything"; } else { echo $sql; $result = mysql_query($sql); } } } // Check to see if there was an insert of a row if (isset($_POST["insert"])) { echo "<center>There was an insert of a row </center>"; $sql="insert into $table values ("; for ($i = 0; $i < $xnum; ++$i) { $sql.="'".$_POST["$name[$i]"."insert"]."' "; if ($i != $xnum-1) {$sql.=",";} } $sql.=")"; echo $sql; $result = mysql_query($sql); } /////////////// if(isset($submit) || isset($_POST['hidtable'])){ $SQL="SELECT * FROM $table"; $result = mysql_query($SQL); $xnum = mysql_num_fields($result); $rowNum = mysql_num_rows($result); } ?> <center> <table bgcolor=black> <tr> <?php for ($i=0; $i<$xnum; ++$i) { $name[$i]=mysql_field_name($result,$i); ?> <td bgcolor="#e3e3e3"><? echo $name[$i]; ?></td> <?php } ?> </tr> <?php for ($j = 0; $j<$rowNum; ++$j) { $row = mysql_fetch_array($result); $currTable[$j]=$row; } ?> <?php for ($j = 0; $j<$rowNum; ++$j) { ?> <tr> <?php for ($i=0; $i<$xnum; ++$i) { ?> <td><input name=<? echo "\"$name[$i]".$j."\""; ?> type="text" id=<? echo "\"$name[$i]\""; ?> value=<? $currRow=$currTable[$j]; echo "\"$currRow[$i]\""; ?>></td> <?php } ?> <td><input type="submit" name=<? echo "\"update".$j."\""; ?> value=<? echo "\"update\""; ?> height="10"> <input type="submit" name=<? echo "\"delete".$j."\""; ?> value=<? echo "\"delete\""; ?> height="10"> </td> </tr> <?php } for ($i=0; $i<$xnum; ++$i) { ?> <td><input name=<? echo "\"$name[$i]"."insert\""; ?> type="text" id=<? echo "\"$name[$i]\""; ?>></td> <?php } ?> <td><input type="submit" name="insert" value="insert"></td> </table> </center> <input type="hidden" name="hidtable" value=<? echo "\"$table\""; ?>> </form> </center> </body> </html> Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 Also, I have a page like insert.php but it has over 300 variables, so how could I do the if(!empty) function thing without having to type out all the variables? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 30, 2008 Share Posted August 30, 2008 <?php /* Author - Ofri Markus Date - 3/12/03 This is a generic script to view and modify mysql databases. All you need to do to use this script is: 1. Put it in your site, and call the file "admin.php". 2. Fill in the connection details on the first line, replace DB_USER AND DB_PASSWORD. 3. Fill in the database name on 2 lines, replace DB_NAME. The advantage of this script is that is you don't need to modify it to your own scheme. it will work on any scheme. I would be happy to receive comments and improved versions of this script to: markus_ofri@hotmail.com Enjoy! */ // Initial connection to the database $database = mysql_connect("localhost", "", ""); mysql_select_db(""); // Because the first time we enter the site we have'nt selected // a table to view we init the number of rows in the current table $rowNum=0; ?> <html> <body bgcolor="#ffffff"> <?php // Get the data of the tables on the scheme $result = mysql_list_tables (""); $i=0; while ($i < mysql_num_rows ($result)) { $tb_names[$i] = mysql_tablename ($result, $i);$i++; } // Check if we got here after pressing submit on the page if (isset($_POST['submit'])) { // If we did press the submit button, we sould view the table that was on the select // box $submit=$_POST['submit']; $table=$_POST['table']; } else { // If we didn't get here after pressing the submit button, check if we already // viewed one of the tables (and saved it's name on the hidden field hidtable if (isset($_POST['hidtable'])) { $table = $_POST['hidtable']; } else { $table="<i>not selected</i>";$xnum=0; } } ?> <center> <form name=ff method=post action="/admin.php"> <b>Select table</b>:<select name="table"> <?php for($x=0;$x<$i;$x++) {?> <option value="<? echo $tb_names[$x];?>" <? if (isset($table) && $table==$tb_names[$x]) {echo " selected ";} ?>><? echo $tb_names[$x];?></option> <?php }?> </select> <input type="submit" name="submit" value="submit"> <?php // Check if we pressed the submit button and if we did - fetch the table data if(isset($submit) || isset($_POST['hidtable'])){ $SQL="SELECT * FROM hidtable"; $result = mysql_query($SQL); $rowNum = mysql_num_rows($result); $xnum = mysql_num_fields($result); // Read all the data in the table for ($j = 0; $j<$rowNum; ++$j) { $row = mysql_fetch_array($result); $currTable[$j]=$row; } } ?> <p> </p> <br> <?php // Check to see if there was an update to a row for ($j = 0; $j<$rowNum; ++$j) { if (isset($_POST["update".$j])) { // Make an sql update query echo "<center>There was an update to row $j</center>"; $sql="update $table set "; for ($i = 0; $i < $xnum; ++$i) { if ($numeric[$i]==1) { $sql.=$name[$i]."=".$_POST["$name[$i]".$j]." "; } else { $sql.=$name[$i]."='".$_POST["$name[$i]".$j]."' "; } if ($i != $xnum-1) {$sql.=",";} } $sql.="WHERE "; $notFirstKey = 0; for ($i = 0; $i < $xnum; ++$i) { if ($key[$i]==1) { if ($notFirstKey == 0) {$notFirstKey=1;} else {$sql.=" AND ";} $sql.=$name[$i]."=".$currTable[$j][$i]; } } if ($notFirstKey == 0) { echo "Table does not have a primary key, not doing anything"; } else { echo $sql; $result = mysql_query($sql); } } } // Check to see if there was a delete to a row for ($j = 0; $j<$rowNum; ++$j) { if (isset($_POST["delete".$j])) { echo "<center>There was an delete to row $j</center>"; $sql="delete from $table "; $sql.="WHERE "; $notFirstKey = 0; for ($i = 0; $i < $xnum; ++$i) { if ($key[$i]==1) { if ($notFirstKey == 0) {$notFirstKey=1;} else {$sql.=" AND ";} $sql.=$name[$i]."=".$currTable[$j][$i]; } } if ($notFirstKey == 0) { echo "Table does not have a primary key, not doing anything"; } else { echo $sql; $result = mysql_query($sql); } } } // Check to see if there was an insert of a row if (isset($_POST["insert"])) { echo "<center>There was an insert of a row </center>"; $sql="insert into $table values ("; for ($i = 0; $i < $xnum; ++$i) { $sql.="'".$_POST["$name[$i]"."insert"]."' "; if ($i != $xnum-1) {$sql.=",";} } $sql.=")"; echo $sql; $result = mysql_query($sql); } /////////////// if(isset($submit) || isset($_POST['hidtable'])){ $SQL="SELECT * FROM $table"; $result = mysql_query($SQL); $xnum = mysql_num_fields($result); $rowNum = mysql_num_rows($result); } ?> Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 Also, please take out the code from your previous post..you saw the code before I took out the server password and username. I don't want anyone seeing that. I get these errors, with the code you gave me. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 92 Warning: mysql_num_fields(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 93 Link to comment Share on other sites More sharing options...
darkfreaks Posted August 30, 2008 Share Posted August 30, 2008 hmmm somethings off on line 92 odd :-X Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 Please remove the code you gave me for admin.php from your post. It has sensitive info in it. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 30, 2008 Share Posted August 30, 2008 done also next time please be sure to connect to the database when using a new PHP tags <?php /* Author - Ofri Markus Date - 3/12/03 This is a generic script to view and modify mysql databases. All you need to do to use this script is: 1. Put it in your site, and call the file "admin.php". 2. Fill in the connection details on the first line, replace DB_USER AND DB_PASSWORD. 3. Fill in the database name on 2 lines, replace DB_NAME. The advantage of this script is that is you don't need to modify it to your own scheme. it will work on any scheme. I would be happy to receive comments and improved versions of this script to: markus_ofri@hotmail.com Enjoy! */ // Initial connection to the database $database = mysql_connect("localhost", "", ""); mysql_select_db("tullyl00_corn"); // Because the first time we enter the site we have'nt selected // a table to view we init the number of rows in the current table $rowNum=0; ?> <html> <body bgcolor="#ffffff"> <?php // Get the data of the tables on the scheme $result = mysql_list_tables (""); $i=0; while ($i < mysql_num_rows ($result)) { $tb_names[$i] = mysql_tablename ($result, $i);$i++; } // Check if we got here after pressing submit on the page if (isset($_POST['submit'])) { // If we did press the submit button, we sould view the table that was on the select // box $submit=$_POST['submit']; $table=$_POST['table']; } else { // If we didn't get here after pressing the submit button, check if we already // viewed one of the tables (and saved it's name on the hidden field hidtable if (isset($_POST['hidtable'])) { $table = $_POST['hidtable']; } else { $table="<i>not selected</i>";$xnum=0; } } ?> <center> <form name=ff method=post action="/admin.php"> <b>Select table</b>:<select name="table"> <?php for($x=0;$x<$i;$x++) {?> <option value="<? echo $tb_names[$x];?>" <? if (isset($table) && $table==$tb_names[$x]) {echo " selected ";} ?>><? echo $tb_names[$x];?></option> <?php }?> </select> <input type="submit" name="submit" value="submit"> <?php // Check if we pressed the submit button and if we did - fetch the table data if(isset($submit) || isset($_POST['hidtable'])){ $database = mysql_connect("localhost", "", ""); mysql_select_db(""); $SQL="SELECT * FROM hidtable"; $result = mysql_query($SQL); $rowNum = mysql_num_rows($result); $xnum = mysql_num_fields($result); // Read all the data in the table for ($j = 0; $j<$rowNum; ++$j) { $row = mysql_fetch_array($result); $currTable[$j]=$row; } } ?> <p> </p> <br> <?php // Check to see if there was an update to a row for ($j = 0; $j<$rowNum; ++$j) { if (isset($_POST["update".$j])) { // Make an sql update query echo "<center>There was an update to row $j</center>"; $sql="update $table set "; for ($i = 0; $i < $xnum; ++$i) { if ($numeric[$i]==1) { $sql.=$name[$i]."=".$_POST["$name[$i]".$j]." "; } else { $sql.=$name[$i]."='".$_POST["$name[$i]".$j]."' "; } if ($i != $xnum-1) {$sql.=",";} } $sql.="WHERE "; $notFirstKey = 0; for ($i = 0; $i < $xnum; ++$i) { if ($key[$i]==1) { if ($notFirstKey == 0) {$notFirstKey=1;} else {$sql.=" AND ";} $sql.=$name[$i]."=".$currTable[$j][$i]; } } if ($notFirstKey == 0) { echo "Table does not have a primary key, not doing anything"; } else { echo $sql; $result = mysql_query($sql); } } } // Check to see if there was a delete to a row for ($j = 0; $j<$rowNum; ++$j) { if (isset($_POST["delete".$j])) { echo "<center>There was an delete to row $j</center>"; $sql="delete from $table "; $sql.="WHERE "; $notFirstKey = 0; for ($i = 0; $i < $xnum; ++$i) { if ($key[$i]==1) { if ($notFirstKey == 0) {$notFirstKey=1;} else {$sql.=" AND ";} $sql.=$name[$i]."=".$currTable[$j][$i]; } } if ($notFirstKey == 0) { echo "Table does not have a primary key, not doing anything"; } else { echo $sql; $result = mysql_query($sql); } } } // Check to see if there was an insert of a row if (isset($_POST["insert"])) { echo "<center>There was an insert of a row </center>"; $sql="insert into $table values ("; for ($i = 0; $i < $xnum; ++$i) { $sql.="'".$_POST["$name[$i]"."insert"]."' "; if ($i != $xnum-1) {$sql.=",";} } $sql.=")"; echo $sql; $result = mysql_query($sql); } /////////////// if(isset($submit) || isset($_POST['hidtable'])){ $SQL="SELECT * FROM $table"; $result = mysql_query($SQL); $xnum = mysql_num_fields($result); $rowNum = mysql_num_rows($result); } ?> Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 30, 2008 Author Share Posted August 30, 2008 Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts