OxAlien Posted December 9, 2013 Share Posted December 9, 2013 Greetings <? mysql_connect("xxx","xxx","xxx"); mysql_select_db("name"); if (!isset($_POST['submit'])) { print "<h1>"; print "Welcome"; print "</h1>"; print "<br><br><br>"; echo "<center>"; print "<form action=\"\" method=\"POST\">"; print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\"> "; print "<input name=\"submit\" value=\"Join\" type=\"submit\">"; print "</form>"; } else { $name = $_POST['dgt']; if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name';"); if(mysql_num_rows($query) > 0){ $row = mysql_fetch_assoc($query); print "True"; print "$row[no]"; }else{ print "False"; } } } ?> This script is vulnerable to SQLi I need help in fixing the vulnerability please. Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted December 9, 2013 Share Posted December 9, 2013 Just sanitize your input. Check to make sure the user(s) provide input that is correct/valid and use the "real_escape_string" functions before doing inserts. http://php.net/mysql_real_escape_string http://php.net/mysqli.real_escape_string Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted December 9, 2013 Share Posted December 9, 2013 StackOverflow's top voted php post is about SQL injection: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php Quote Link to comment Share on other sites More sharing options...
aysiu Posted December 9, 2013 Share Posted December 9, 2013 Use prepared statements, and use mysqli or PDO instead of mysql. Quote Link to comment Share on other sites More sharing options...
OxAlien Posted December 9, 2013 Author Share Posted December 9, 2013 Thanks for your help guys. Here is my code now: <? mysql_connect("xxx","xxx","xxx"); mysql_select_db("name"); if (!isset($_POST['submit'])) { print "<h1>"; print "Welcome"; print "</h1>"; print "<br><br><br>"; echo "<center>"; print "<form action=\"\" method=\"POST\">"; print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\"> "; print "<input name=\"submit\" value=\"Join\" type=\"submit\">"; print "</form>"; } else { $name = $_POST['dgt']; if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name';"); $fix = mysql_real_escape_string($query); if(mysql_num_rows($fix) > 0){ $row = mysql_fetch_assoc($fix); print "True"; print "$row[no]"; }else{ print "False"; } } } ?> What did I do wrong here? Quote Link to comment Share on other sites More sharing options...
Solution Ch0cu3r Posted December 9, 2013 Solution Share Posted December 9, 2013 (edited) What did I do wrong here? You applied mysql_real_escape_string to the query. This function should be used on values to be used within the query. This $name = $_POST['dgt']; if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name';"); $fix = mysql_real_escape_string($query); Should be $name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name'"); Edited December 9, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
OxAlien Posted December 9, 2013 Author Share Posted December 9, 2013 You applied mysql_real_escape_string to the query. This function should be used on values to be used within the query. This $name = $_POST['dgt']; if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name';"); $fix = mysql_real_escape_string($query); Should be $name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name'"); Thank you so much. "mysql_real_escape_string()" didn't work for me so I used "addslashes()" is the addslashes() command enough to prevent sql injection in that particular perimeter? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted December 9, 2013 Share Posted December 9, 2013 (edited) is the addslashes() command enough to prevent sql injection in that particular perimeter? No. As there are characters other than quotes that can cause SQL injection, which mysql_real_escape_strings also escapes. "mysql_real_escape_string()" didn't work for me In what way did it not work for you? The code I posted is the correct usage for that function. Edited December 9, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
OxAlien Posted December 9, 2013 Author Share Posted December 9, 2013 In what way did it not work for you? The code I posted is the correct usage for that function. After submitting the name, the page reads "Problem Loading page" & "The connection was reset" But I don't get that error when using addslashes() instead of mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted December 9, 2013 Share Posted December 9, 2013 Sounds to me PHP is not connecting to MySQL correctly. Or your server is not setup quite right. Where are you running this code? Quote Link to comment Share on other sites More sharing options...
Barand Posted December 9, 2013 Share Posted December 9, 2013 $name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query laterif(strlen($name) != "10") { Wouldn't it be more sensible to validate before sanitizing as the content could be affected by mysql_real_escape_string()? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted December 9, 2013 Share Posted December 9, 2013 Yea, that would be more sensible. Quote Link to comment Share on other sites More sharing options...
OxAlien Posted December 9, 2013 Author Share Posted December 9, 2013 (edited) Sounds to me PHP is not connecting to MySQL correctly. Or your server is not setup quite right. Where are you running this code? Using AppServ on windows. ran the mysql_real_escape_string() on multiple browsers but they all returned the same result "error on page". So I'm guessing the problem could be from AppServ. Edited December 9, 2013 by OxAlien Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted December 9, 2013 Share Posted December 9, 2013 Its a bit outdated. It use PHP5.2.6 which was released 5 years ago! PHP latests releases are 5.4 and 5.5 I recommend updating your AMP stack as soon as possible to more recent versions, to something like WAMP or XAMPP. Or better yet install the AMP stack manually yourself. Quote Link to comment Share on other sites More sharing options...
OxAlien Posted December 10, 2013 Author Share Posted December 10, 2013 Its a bit outdated. It use PHP5.2.6 which was released 5 years ago! PHP latests releases are 5.4 and 5.5 I recommend updating your AMP stack as soon as possible to more recent versions, to something like WAMP or XAMPP. Or better yet install the AMP stack manually yourself. Tried the function "mysql_real_escape_string()" on XAMPP and worked like a charm (y) Thanks everything works perfectly now Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.