SQL Inject Me

[Stooney]

Referring to the firefox add-on.  I'm new to it and don't quite understand the results.  I'm testing a login form who's input only goes through mysql_real_escape_string.  I thought that was enough to be safe.  SQL Inject Me is giving some results like so:

 

Server Status Code: 302 Found
Tested value: &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49

 

What exactly is the 302 error and what else do I need to aside from mysql_real_escape_string?

[waynew]

A redirection probably happened as soon as it tested that value. Are you whitelisting and redirecting if the value is incorrect? Is the user brought to a new page when they post to this form?

[Stooney]

Upon clicking 'login' (which is located on index.php) the form is submitted to my login controller (http://site.com/login) which is where everything is processed and the user is either logged in or not.  After all that there's a header("Location:  ."site_url); site_url being 'http://site.com/'.

 

So in short, they click login, it's processed and they're redirected back to index.php.  (or technically the index controller in this case)

[waynew]

-> Form on index controller

-> Form submission leads to login controller

-> Login controller redirects back to index controller

 

That's why you're getting a 302

 

[Stooney]

So is that a bad thing? or something to just ignore.

[waynew]

Not a bad thing.

 

At least I don't think it is. Would probably have worse implications if it didn't redirect.