Jump to content

Mysql code injection with a $string in php

audiovisuaali

By audiovisuaali
in PHP Coding Help

 Share

Recommended Posts

audiovisuaali Newbie

audiovisuaali

Posted
Posted
When I'm doing this it can't handle the query line. When I change the :count to a number it works correctly.

So I want to know how can I use a string to determine a number for the mysql request.

 

 

Thank you!

 

 

<?php

// Error report

ini_set('display_errors', 1);

error_reporting(~0);

 

// Getting video ID from URL

$video = $_GET['v'];

 

// Including database connection

include 'db.php';

 

//$query = "SELECT file_name, videos FROM videos  ORDER BY RAND() LIMIT 1;";

$query = "SELECT file_name, videos FROM videos LIMIT :count,1;";

 

// Prepare

$statement = $handler->prepare($query);

$statement->bindParam(":count",$video);

 

// Execute

$statement->execute();

 

// Fetch

$videos = $statement->fetch(PDO::FETCH_ASSOC);

$comment = $videos["file_name"];

$videos = $videos["videos"];

echo $comment;

echo $videos;

?>

Link to comment
Share on other sites
audiovisuaali Newbie

audiovisuaali

Posted
  • Author
Posted

Here's what I see when I go to the page:

 

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'NULL,1' at line 1' in FILE_LOCATION/test.php:21 Stack trace: #0 FILE_LOCATION/test.php(21): PDOStatement->execute() #1 {main} thrown in FILE_LOCATION/test.php on line 21

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

You have an entire collection of errors.

 

First, you're obviously accessing the script without a v parameter in the URL, because the value of $video is null. You have no check for that case either; you just assume that the parameter is always present (which it isn't, as you can see).

 

Then you're using emulated prepared statements (which is the default) instead of real ones. This means the parameters are literally inserted into the query string instead of getting sent to the database. Since your parameter is null, you end up with a LIMIT of NULL -- which is syntactically wrong.

 

The query itself is also fishy. Why are you doing an offset search when you want to look up a particular ID? This will give you nonsense results. You don't even have an ORDER BY clause, so the offset could start absolutely anywhere.

 

Long story short:

  • Validate the user input and handle missing parameters; don't just assume that you get what you expect
  • Disable statement emulation
  • Fix the query. You probably want a WHERE clause.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.