Fixing SQLi Vulnerability Help

[OxAlien]

Greetings

<?
mysql_connect("xxx","xxx","xxx");
mysql_select_db("name");
if (!isset($_POST['submit'])) {
print "<h1>";
print "Welcome";
print "</h1>";
print "<br><br><br>";
echo "<center>";
print "<form action=\"\" method=\"POST\">";
print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\">   ";
print "<input name=\"submit\" value=\"Join\" type=\"submit\">";
print "</form>";

} else {
$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
if(mysql_num_rows($query) > 0){
            $row = mysql_fetch_assoc($query);
            print "True";
			print "$row[no]";
        }else{
			print "False";
			
        }
}
}
?>

This script is vulnerable to SQLi I need help in fixing the vulnerability please.

[hitman6003]

Just sanitize your input.  Check to make sure the user(s) provide input that is correct/valid and use the "real_escape_string" functions before doing inserts.

 

http://php.net/mysql_real_escape_string

http://php.net/mysqli.real_escape_string

[hitman6003]

StackOverflow's top voted php post is about SQL injection:

 

http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

[aysiu]

Use prepared statements, and use mysqli or PDO instead of mysql.

[OxAlien]

Thanks for your help guys.

 

Here is my code now:

<?
mysql_connect("xxx","xxx","xxx");
mysql_select_db("name");
if (!isset($_POST['submit'])) {
print "<h1>";
print "Welcome";
print "</h1>";
print "<br><br><br>";
echo "<center>";
print "<form action=\"\" method=\"POST\">";
print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\">   ";
print "<input name=\"submit\" value=\"Join\" type=\"submit\">";
print "</form>";

} else {
$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
$fix = mysql_real_escape_string($query);
if(mysql_num_rows($fix) > 0){
            $row = mysql_fetch_assoc($fix);
            print "True";
			print "$row[no]";
        }else{
			print "False";
			
        }
}
}
?>

What did I do wrong here?

[Ch0cu3r]

 

What did I do wrong here?

You applied mysql_real_escape_string to the query. 

 

This function should be used on values to be used within the query.

 

This

$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
$fix = mysql_real_escape_string($query);

Should be

$name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name'");

Edited December 9, 2013 by Ch0cu3r

[OxAlien]

 

You applied mysql_real_escape_string to the query. 

 

This function should be used on values to be used within the query.

 

This

$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
$fix = mysql_real_escape_string($query);

Should be

$name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name'");

 

Thank you so much.

 

"mysql_real_escape_string()" didn't work for me so I used "addslashes()"

 

is the addslashes() command enough to prevent sql injection in that particular perimeter?

[Ch0cu3r]

 

is the addslashes() command enough to prevent sql injection in that particular perimeter?

No. As there are characters other than quotes that can cause SQL injection, which mysql_real_escape_strings also escapes.

 

 

"mysql_real_escape_string()" didn't work for me

In what way did it not work for you? The code I posted is the correct usage for that function.

Edited December 9, 2013 by Ch0cu3r

[OxAlien]

In what way did it not work for you? The code I posted is the correct usage for that function.

 

After submitting the name, the page reads "Problem Loading page" & "The connection was reset"

 

But I don't get that error when using addslashes() instead of mysql_real_escape_string()

[Ch0cu3r]

Sounds to me PHP is not connecting to MySQL correctly. Or your server is not setup quite right. Where are you running this code?

[Barand]

 

 

$name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later
if(strlen($name) != "10") {

 

Wouldn't it be more sensible to validate before sanitizing as the content could be affected by mysql_real_escape_string()?

[Ch0cu3r]

Yea, that would be more sensible.

[OxAlien]

Sounds to me PHP is not connecting to MySQL correctly. Or your server is not setup quite right. Where are you running this code?

Using AppServ on windows.

 

ran the mysql_real_escape_string() on multiple browsers but they all returned the same result "error on page".

 

So I'm guessing the problem could be from AppServ.

Edited December 9, 2013 by OxAlien

[Ch0cu3r]

Its a bit outdated. It use PHP5.2.6 which was released 5 years ago! PHP latests releases are 5.4 and 5.5

 

I recommend updating your AMP stack as soon as possible to more recent versions, to something like WAMP or XAMPP. Or better yet install the AMP stack manually yourself.

[OxAlien]

Its a bit outdated. It use PHP5.2.6 which was released 5 years ago! PHP latests releases are 5.4 and 5.5

 

I recommend updating your AMP stack as soon as possible to more recent versions, to something like WAMP or XAMPP. Or better yet install the AMP stack manually yourself.

 

Tried the function "mysql_real_escape_string()" on XAMPP and worked like a charm (y)

 

Thanks everything works perfectly now