[Sql Injection] Need To Redo My Query And/or The Form

[Swarfega]

Hi.

 

 

I've established a possible SQL Injection on my site, and I'm curious as to what the best type of fix would be for it.

 

Here's the SQL Error on the Page:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.$_SESSION['SESS_MEMBER_ID'].'', 'Klotterplanket')' at line 1

 

And here's the query

$deletedmessage = $getdata['message'];
$sql = "DELETE FROM klotterplanket WHERE id='".$_GET['id']."'";
mysql_query($sql) or die(mysql_error());
$sql = "INSERT INTO adminlogs(uid, name, message, vart) VALUES('".$_SESSION['SESS_MEMBER_ID']."', '$fullname', '".$deletedmessage."', 'Klotterplanket')";
$query = mysql_query($sql) or die(mysql_error());
if($query) {
header("Location: klotterplank.php");
echo '<script>alert("Meddelande Borttaget!")</script>';
} else {
echo '<script>alert("Något gick snett!") </script>';
header("Location: klotterplank.php");
}

 

The Deletion part works flawlessly, since that does not include the textarea of the Form. $getdata['message'] = form textarea value.

 

 

My first thought was to use str_replace on the textarea if the string contains '.$ or '. $ or ' . $ or ' .$ but I was wondering if anyone knows some better ideas?

[MDCode]

mysql_real_escape_string

[cpd]

Don't just mysql_real_escape_string as its not proper protection.

 

You can do a number of things:

• Validation
  
• Sanitation
  
• Type casting
  
• Prepared statements (highly recommended)
  

Now Google your heart out to find out what each is.

 

I can't see why your query shouldn't work. What's the contents of the session variable?

[Swarfega]

The Contents would be for example '1' UserID = 1

[PFMaBiSmAd]

You need to echo the $sql variable so that you can see exactly what is wrong with the query statement.

 

Based on the sql error message, you likely have some single-quotes around the variables you are assigning to $deletedmessage.

.