Jump to content

Security Issue in my script - injection

vividona

By vividona
in PHP Coding Help

Recommended Posts

vividona Regular Member

vividona

Posted
Posted

hi friends,

 

plz check my poor script

 

http://bhl.43i.net

 

admin account: aaa

admin pass : aaa

 

if you open any article like:

 

http://bhl.43i.net/index.php?Artid=16

 

if I put the sign of single quote ( ' ) after the article number in browse it give this message

 

http://bhl.43i.net/index.php?Artid=16'

 

note: I am using this code

I used addslashes() when I insert the text in database

and stripslashes() when I select the text from database

 

is that correct?

 

public function ClnArtiSub(){ 
        if( ! get_magic_quotes_gpc() ){ 
            return addslashes(htmlspecialchars( $this->ArtiSub )); 
        } 
    } 
     
    public function StripArtiSub() { 
        if( ! get_magic_quotes_gpc() ) { 
            return stripslashes(htmlspecialchars( $this->ArtiSub )); 
        } 
    } 
     
    public function ClnArtiBod(){ 
        if( ! get_magic_quotes_gpc() ){ 
            return addslashes(htmlspecialchars( $this->ArtiBod )); 
        } 
    } 
     
    public function StripArtiBod() { 
        if( ! get_magic_quotes_gpc() ) { 
            return stripslashes(htmlspecialchars( $this->ArtiBod )); 
        } 
    }

 

 

Link to comment
https://forums.phpfreaks.com/topic/134865-security-issue-in-my-script-injection/
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

If you can, just disable magic quotes (chances are, they're already disabled)

 

Instead of add/strip slashes functions, just use mysql_real_escape_string when INSERTING data into database (no need to do that when outputting data).

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

artid is probably a numeric data type. We would need to see your code that processes atrid and the query to know for sure what is happening, but when you do addslashes(htmlspecialchars()) with the single-quote present and put the results in a numeric data type, it is breaking your query and the query is failing due to a syntax error.

 

If you change addslashes to mysql_real_escape_string() it might help, because addslashes does not escape all the special characters that can break a query. What you should do is validate that artid only contains numeric characters or you can cast it to be an integer using (int)

 

Your code should also check if the mysql_query() worked or failed. This is the reason for the existing error message. Your query returned a FALSE value due to a sql syntax error, instead of a result resource and your mysql_fetch_xxxxxx() function failed.

vividona Regular Member

vividona

Posted
  • Author
Posted

artid is probably a numeric data type. We would need to see your code that processes atrid and the query to know for sure what is happening, but when you do addslashes(htmlspecialchars()) with the single-quote present and put the results in a numeric data type, it is breaking your query and the query is failing due to a syntax error.

 

If you change addslashes to mysql_real_escape_string() it might help, because addslashes does not escape all the special characters that can break a query. What you should do is validate that artid only contains numeric characters or you can cast it to be an integer using (int)

 

Your code should also check if the mysql_query() worked or failed. This is the reason for the existing error message. Your query returned a FALSE value due to a sql syntax error, instead of a result resource and your mysql_fetch_xxxxxx() function failed.

 

Hi brother

 

I should validate Artid then use mysql_real_escape_string instead of addslashes.

 

plz keep on touch to report you

vividona Regular Member

vividona

Posted
  • Author
Posted

artid is probably a numeric data type. We would need to see your code that processes atrid and the query to know for sure what is happening, but when you do addslashes(htmlspecialchars()) with the single-quote present and put the results in a numeric data type, it is breaking your query and the query is failing due to a syntax error.

 

If you change addslashes to mysql_real_escape_string() it might help, because addslashes does not escape all the special characters that can break a query. What you should do is validate that artid only contains numeric characters or you can cast it to be an integer using (int)

 

Your code should also check if the mysql_query() worked or failed. This is the reason for the existing error message. Your query returned a FALSE value due to a sql syntax error, instead of a result resource and your mysql_fetch_xxxxxx() function failed.

 

Hi brother

 

I should validate Artid then use mysql_real_escape_string instead of addslashes.

 

please keep on touch to report you

 

but keep in mind

I didn't make insertion for Artid

I made it auto-increment

I just select it from database

Mchl Regular Member

Mchl

Posted
Posted

but please see this link

mysql_real_escape_string() VS addslashes()

http://www.sitepoint.com/forums/showthread.php?t=337881

 

mysql_real_escape_string() takes current database connection encoding into consideration when encoding strings. It doesn't mean it's safer. It means, that it will not screw your data up, if you're using something else than ASCII.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.