PHP - Sql Injection And Xss Attack On Checkbox

Hello All,

I am in desperate help here since my site was DDoS attacked by some one in turkey (Ips originate mostly from turkey, Germany, and some other Europe countries). I have installed the ddos deflation and most of the IPs are now blocked.


I have a php file in my server that I use to input data into my database and my streaming servers. This file is called connect.php and the hacker is basically created an automated script that repeatedly call the connect.php file from a botnet resulting in both apache and mysql dead. I use connect.php in the following way

http.open('get', "ajax/createchannel_1.php?channel=" + channelname + "&sitename=" + sitename + "&privateurl=" + privateurl + "&privateurlcheck=" + privateurlcheck);

How can i change the connect.php so that it only accept execution from my server/
Please your help is greatly appreciated.

I am having a wamp issue so I can't try these out right now.  According to the book I'm learning php with, I can easily avoid injection attacks this way:    $a= stripslashes($a); $a= mysql_real_escape_string($a);   What concerns me is the repetition of the variable, $a.  Does it matter?  Intuitively, it should.    $a changes. By the time $a hits mysql_real_escape_string it is slash-free.  So it is a totally different "value" but still contained in the original variable which may have had slashes...just has me concerned a bit.   I know PDOs are the best way. I'm not there yet, unfortunately.
Edited by baltar, 23 May 2014 - 10:36 AM.

I'm confused, can this result in css/sql injection?

Code: [Select]

if(isset($_GET['action'])){
if($_GET['action'] == 'details'){
$cupID = $_GET['cupID'];
$ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'");
$ds=mysql_fetch_array($ergebnis);

...

Some german fellow was explaining, translate to English briefly:

"$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... "

I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? 

Will this prevent a SQL injection? I am guessing the answer is no because it is too simple.


// retrieve form data   ==========================================

$ama = $_POST['ama'];

// Check for alphanumeric characters =====================================

$string = "$ama";

$new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string);

// echo $new_string;

// Send query ===========================================================

$query = "SELECT * FROM members WHERE ama='$new_string'";
if (!mysql_query($query)){
die('Error :' .mysql_error());
}

I want to know which part of my script has the hole..as i can find lots of php script and even folder can be injected into my public_html

how they do that, and which part need to be checked? is that the upload part <enctype> or what??

thanks in advance

I'm trying to use dependency injection to pass a database connection to an object but I'm not sure why it's not working.  I have my "dbClass" below that connects to a MySQL database. 

Code: [Select]
class dbClass {
public $db;

function __construct() {
$this->db = mysql_connect("localhost","username","password") or die ('Could not connect: ' . mysql_error());
return $this->db;
}
}

Then I have my "baseClass".  This is the class that I want to feed to connection too. 

Code: [Select]
class baseClass {
public $mysql_conn;

function __construct($db) {
$this->mysql_conn = $db;
$rs = mysql_select_db("webdev_db", $this->mysql_conn) or die ('Could not connect: ' . mysql_error());
}
}

And this is my index.php file.  The error I'm getting is "supplied argument is not a valid MySQL-Link resource".  However I tripled checked and my db connection details are definately correct. 

Code: [Select]
$db = new dbClass();
$baseclass = new baseClass($db);

Thanks for any help. 

i just want to ask this simple question

let say i have this basic query

$place=$_GET['place'];
mysql_query("SELECT * FROM table WHERE place='$place'");

this is a nice target for sql injection..

but what if i replace the whole special characters that could be added

$replacethis=array("-","`");
$withthis=array("","");
$place=str_replace($replacethis,$withthis,$_GET['place']);
mysql_query("SELECT * FROM table WHERE place='$place'");

Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ??

then what if i protect the file by changing the setting of the permission to either 644 or 755?
thanks in advance

Hello,

I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself.

I'm pretty new to PHP so my code isn't great.

Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading.

I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted.

One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables?

The insert page code is:

Code: [Select]
$db = mysql_connect("localhost", "username", "password");

mysql_select_db("thedatabase",$db);
$ipaddress = mysql_real_escape_string($_POST['ipaddress']);
$theid = mysql_real_escape_string($_POST['theid']);
$gamert = mysql_real_escape_string($_POST['gamert']);
$serveron = mysql_real_escape_string($_POST['serveron']);

$check= mysql_query("select * from voting2 where ipaddress='$ipaddress'");

$ipname = mysql_fetch_assoc($check);

if($ipname['ipaddress'] == $ipaddress) {
                     echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.';


} else {
mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2)
                VALUES
('$theid','$ipaddress','$gamert','$serveron')");
 echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.';

}
How can I make it safer against SQL injection?

Thanks

Hi,
I'm sure many of you heard of "pastebin", if not the short of it, is that you can submit your code (+100 languages), and you can display it to your friends via a link with syntax highlighting available.

So, One way to store the code is surely in txt files, but I would really prefer to have it stored in a mysql database.

My only concern is people trying to run a sql injection, so how do i get around all this? I don't want the user's content to be changed, but I don't want SQL injections either.. is this even possible at all?
Any tips appreciated, also if you could think of another alternative than txt files and mysql.

Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.

The code works fine.
 

<?php 

include 'db.php';

error_reporting(E_ALL | E_WARNING | E_NOTICE);

ini_set('display_errors', TRUE);

 if(isset($_POST['submit']))

 {
    
 $username = $_POST['username']; 
$password =  ($_POST['password']); 

$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql); 
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count =  $result->num_rows;
   if($count == 1) 
                         {
while ($row = $result->fetch_assoc())
 {
    if ($row['status'] == 'blocked')

 {

 echo'your account is suspended'


   session_destroy();

   exit();

  }

 else if($row['status'] == 'active')
{

if($username !== $row['username']) 

 { 
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
} 
if($password !== $row['password']) 
{
  echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';       
}
if($username == $row['username'] && $password == $row['password']) 
{ 
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>

 

Does this code have mySQL Injection vulnerability?

$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";

using php5, would this make the code more safe...

foreach($array as $key=>$a){
$array[$key] = mysql_real_escape_string($a);} 
$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";

or is there another way to make the code safe?

been wondering about this for a while
do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST
i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id.

Code: [Select]
<?php mysql_query("UPDATE systems SET homes=  $homes + '".mysql_real_escape_string($_POST['homes'])."' 

WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?>

Hi all,

I thought instead of just simple do all the security stuff automatically, why not see for myself what the it can do.
So I made a simple table besides the other tables named delete_me,  made a form and started testing. But for some reason I can get that table to drop.

this is what i did on the front end with help from he http://en.wikipedia.org/wiki/SQL_injection

in all 3 fields (firstname, lastname email) put a value and in the last one i put:

but nothing happend.

if someone knows what i am doing wrong please tell me because I think it's vital in order to protect yourself one needs to know what he or she is up against.

Hello People,

Been reading up on these and trying to understand them more.  Say I have a file called page.php?id=12345

and when users hit the page I run this code in the background:


$id = $_GET['id'];
$query = "UPDATE tbl SET live = '1' WHERE id = '".$id."'"; 


That page is not open to any attack right?  Even though i'm using $_GET.

Am I right in thinking that attacks only happen on online forms.  So for example there is no way an attacker could somehow output all the data in my table tbl


Thank yo