Swarfega Posted January 2, 2013 Share Posted January 2, 2013 Hi. I've established a possible SQL Injection on my site, and I'm curious as to what the best type of fix would be for it. Here's the SQL Error on the Page: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.$_SESSION['SESS_MEMBER_ID'].'', 'Klotterplanket')' at line 1 And here's the query $deletedmessage = $getdata['message']; $sql = "DELETE FROM klotterplanket WHERE id='".$_GET['id']."'"; mysql_query($sql) or die(mysql_error()); $sql = "INSERT INTO adminlogs(uid, name, message, vart) VALUES('".$_SESSION['SESS_MEMBER_ID']."', '$fullname', '".$deletedmessage."', 'Klotterplanket')"; $query = mysql_query($sql) or die(mysql_error()); if($query) { header("Location: klotterplank.php"); echo '<script>alert("Meddelande Borttaget!")</script>'; } else { echo '<script>alert("Något gick snett!") </script>'; header("Location: klotterplank.php"); } The Deletion part works flawlessly, since that does not include the textarea of the Form. $getdata['message'] = form textarea value. My first thought was to use str_replace on the textarea if the string contains '.$ or '. $ or ' . $ or ' .$ but I was wondering if anyone knows some better ideas? Quote Link to comment Share on other sites More sharing options...
MDCode Posted January 2, 2013 Share Posted January 2, 2013 mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
cpd Posted January 2, 2013 Share Posted January 2, 2013 (edited) Don't just mysql_real_escape_string as its not proper protection. You can do a number of things: Validation Sanitation Type casting Prepared statements (highly recommended) Now Google your heart out to find out what each is. I can't see why your query shouldn't work. What's the contents of the session variable? Edited January 2, 2013 by CPD Quote Link to comment Share on other sites More sharing options...
Swarfega Posted January 2, 2013 Author Share Posted January 2, 2013 The Contents would be for example '1' UserID = 1 Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 2, 2013 Share Posted January 2, 2013 You need to echo the $sql variable so that you can see exactly what is wrong with the query statement. Based on the sql error message, you likely have some single-quotes around the variables you are assigning to $deletedmessage. . Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.