Jump to content

Fixing SQLi Vulnerability Help


OxAlien
Go to solution Solved by Ch0cu3r,

Recommended Posts

Greetings

<?
mysql_connect("xxx","xxx","xxx");
mysql_select_db("name");
if (!isset($_POST['submit'])) {
print "<h1>";
print "Welcome";
print "</h1>";
print "<br><br><br>";
echo "<center>";
print "<form action=\"\" method=\"POST\">";
print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\">   ";
print "<input name=\"submit\" value=\"Join\" type=\"submit\">";
print "</form>";

} else {
$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
if(mysql_num_rows($query) > 0){
            $row = mysql_fetch_assoc($query);
            print "True";
			print "$row[no]";
        }else{
			print "False";
			
        }
}
}
?>

This script is vulnerable to SQLi I need help in fixing the vulnerability please.

Link to comment
Share on other sites

Thanks for your help guys.

 

Here is my code now:

<?
mysql_connect("xxx","xxx","xxx");
mysql_select_db("name");
if (!isset($_POST['submit'])) {
print "<h1>";
print "Welcome";
print "</h1>";
print "<br><br><br>";
echo "<center>";
print "<form action=\"\" method=\"POST\">";
print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\">   ";
print "<input name=\"submit\" value=\"Join\" type=\"submit\">";
print "</form>";

} else {
$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
$fix = mysql_real_escape_string($query);
if(mysql_num_rows($fix) > 0){
            $row = mysql_fetch_assoc($fix);
            print "True";
			print "$row[no]";
        }else{
			print "False";
			
        }
}
}
?>

What did I do wrong here?

Link to comment
Share on other sites

  • Solution

 

What did I do wrong here?

You applied mysql_real_escape_string to the query. 

 

This function should be used on values to be used within the query.

 

This

$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
$fix = mysql_real_escape_string($query);

Should be

$name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name'");
Edited by Ch0cu3r
Link to comment
Share on other sites

 

You applied mysql_real_escape_string to the query. 

 

This function should be used on values to be used within the query.

 

This

$name = $_POST['dgt'];
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name';");
$fix = mysql_real_escape_string($query);

Should be

$name = mysql_real_escape_string($_POST['dgt']); // Apply mysql_real_escape_string to this value. So it safe to use in the query later
if(strlen($name) != "10") {
print "Name is incorrect.";
} else {

$query = mysql_query("SELECT * FROM contacts WHERE name ='$name'");

 

Thank you so much.

 

"mysql_real_escape_string()" didn't work for me so I used "addslashes()"

 

is the addslashes() command enough to prevent sql injection in that particular perimeter?

Link to comment
Share on other sites

 

is the addslashes() command enough to prevent sql injection in that particular perimeter?

No. As there are characters other than quotes that can cause SQL injection, which mysql_real_escape_strings also escapes.

 

 

"mysql_real_escape_string()" didn't work for me

In what way did it not work for you? The code I posted is the correct usage for that function.

Edited by Ch0cu3r
Link to comment
Share on other sites

In what way did it not work for you? The code I posted is the correct usage for that function.

 

After submitting the name, the page reads "Problem Loading page" & "The connection was reset"

 

But I don't get that error when using addslashes() instead of mysql_real_escape_string()

Link to comment
Share on other sites

Sounds to me PHP is not connecting to MySQL correctly. Or your server is not setup quite right. Where are you running this code?

Using AppServ on windows.

 

ran the mysql_real_escape_string() on multiple browsers but they all returned the same result "error on page".

 

So I'm guessing the problem could be from AppServ.

Edited by OxAlien
Link to comment
Share on other sites

Its a bit outdated. It use PHP5.2.6 which was released 5 years ago! PHP latests releases are 5.4 and 5.5

 

I recommend updating your AMP stack as soon as possible to more recent versions, to something like WAMP or XAMPP. Or better yet install the AMP stack manually yourself.

Link to comment
Share on other sites

Its a bit outdated. It use PHP5.2.6 which was released 5 years ago! PHP latests releases are 5.4 and 5.5

 

I recommend updating your AMP stack as soon as possible to more recent versions, to something like WAMP or XAMPP. Or better yet install the AMP stack manually yourself.

 

Tried the function "mysql_real_escape_string()" on XAMPP and worked like a charm (y)

 

Thanks everything works perfectly now ^_^

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.