|
PHP - How Can I Avoid Sql Injection On This Query
Trying to make my code more secure.
This is what I currently have, which is not secure by any means: Code: [Select] $query1 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION, COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='$table'"; // Run PRO query $qresult1 = sqlsrv_query($dbPRO, $query1); if ($qresult1 === false) { exitWithSQLError('Retrieving schema failed.'); } This is how I changed it, Code: [Select] $query1 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION, COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=?"; $params = array(1, $table); // Run PRO query $qresult1 = sqlsrv_query($dbPRO, $query1, $params); if ($qresult1 === false) { exitWithSQLError('Retrieving schema failed.'); } but I'm getting this error: Code: [Select] SQL-Status: 22018 Code: 245 Message: [Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion failed when converting the nvarchar value 'sysrscols' to data type int Please notice I am using sqlsrv_query function because my database engine is MS-SQL 2008. That's why I'm a bit confused. Most documentation online is pointed to MySQL. exitWithSQLError is a customized function of mine, so please ignore. Any help or hints is appreciated, Thanks, Similar TutorialsHi, I am using parameterized queries on my code, here's the relevant part Code: [Select] $params=$_POST['ITGtable']; $tsql2 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION, COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=?"; /* Execute the statement with the specified parameter value. Display the returned data if no errors occur. */ $stmt2 = sqlsrv_query( $conn, $tsql2, $params); if( $stmt2 === false ) { echo "Statement 2 could not be executed.\n"; die( print_r(sqlsrv_errors(), true)); } else { $qty = sqlsrv_fetch_array( $stmt2); } Do I really have to sanitize $_POST['ITGtable'] for apostrophe, semicolon, etc, to avoid SQL injection problems? Or just with above code I should be safer (I did not say safe) against SQL injection? And if the answer is "No", what could be the sanitize code of function? I am using sqlsrv and MS-SQL database engine; most of the functions we have for sanitize inputs on MySQL are not available for MS-SQL. Thanks in advance, Ok first of all i have this code at the final of my insert and update code.
if (!mysql_query($sql,$conn))
{
die('Error: ' . mysql_error($conn));
}
else{
header("Location: finalmsj.php?finalmsj=".$hiwu."");
}
mysql_close($conn);
}
I'm confused, can this result in css/sql injection? Code: [Select] if(isset($_GET['action'])){ if($_GET['action'] == 'details'){ $cupID = $_GET['cupID']; $ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'"); $ds=mysql_fetch_array($ergebnis); ... Some german fellow was explaining, translate to English briefly: "$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... " I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? I am having a wamp issue so I can't try these out right now. According to the book I'm learning php with, I can easily avoid injection attacks this way:
$a= stripslashes($a);
$a= mysql_real_escape_string($a);
What concerns me is the repetition of the variable, $a. Does it matter? Intuitively, it should.
$a changes. By the time $a hits mysql_real_escape_string it is slash-free. So it is a totally different "value" but still contained in the original variable which may have had slashes...just has me concerned a bit.
I know PDOs are the best way. I'm not there yet, unfortunately.
Edited by baltar, 23 May 2014 - 10:36 AM. i just want to ask this simple question let say i have this basic query $place=$_GET['place']; mysql_query("SELECT * FROM table WHERE place='$place'"); this is a nice target for sql injection.. but what if i replace the whole special characters that could be added $replacethis=array("-","`"); $withthis=array("",""); $place=str_replace($replacethis,$withthis,$_GET['place']); mysql_query("SELECT * FROM table WHERE place='$place'"); Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ?? then what if i protect the file by changing the setting of the permission to either 644 or 755? thanks in advance Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.
The code works fine.
<?phpÂ
include 'db.php';
error_reporting(E_ALL | E_WARNING | E_NOTICE);
ini_set('display_errors', TRUE);
 if(isset($_POST['submit']))
 {
  Â
 $username = $_POST['username'];Â
$password = Â ($_POST['password']);Â
$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql);Â
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count = Â $result->num_rows;
  if($count == 1)Â
             {
while ($row = $result->fetch_assoc())
 {
  if ($row['status'] == 'blocked')
 {
 echo'your account is suspended'
  session_destroy();
  exit();
 }
 else if($row['status'] == 'active')
{
if($username !== $row['username'])Â
 {Â
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
}Â
if($password !== $row['password'])Â
{
 echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';    Â
}
if($username == $row['username'] && $password == $row['password'])Â
{Â
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>
 I'm trying to use dependency injection to pass a database connection to an object but I'm not sure why it's not working. I have my "dbClass" below that connects to a MySQL database. Code: [Select] class dbClass { public $db; function __construct() { $this->db = mysql_connect("localhost","username","password") or die ('Could not connect: ' . mysql_error()); return $this->db; } } Then I have my "baseClass". This is the class that I want to feed to connection too. Code: [Select] class baseClass { public $mysql_conn; function __construct($db) { $this->mysql_conn = $db; $rs = mysql_select_db("webdev_db", $this->mysql_conn) or die ('Could not connect: ' . mysql_error()); } } And this is my index.php file. The error I'm getting is "supplied argument is not a valid MySQL-Link resource". However I tripled checked and my db connection details are definately correct. Code: [Select] $db = new dbClass(); $baseclass = new baseClass($db); Thanks for any help. Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } Hello, I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself. I'm pretty new to PHP so my code isn't great. Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading. I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted. One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables? The insert page code is: Code: [Select] $db = mysql_connect("localhost", "username", "password"); mysql_select_db("thedatabase",$db); $ipaddress = mysql_real_escape_string($_POST['ipaddress']); $theid = mysql_real_escape_string($_POST['theid']); $gamert = mysql_real_escape_string($_POST['gamert']); $serveron = mysql_real_escape_string($_POST['serveron']); $check= mysql_query("select * from voting2 where ipaddress='$ipaddress'"); $ipname = mysql_fetch_assoc($check); if($ipname['ipaddress'] == $ipaddress) { echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.'; } else { mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2) VALUES ('$theid','$ipaddress','$gamert','$serveron')"); echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.'; } How can I make it safer against SQL injection? Thanks I want to know which part of my script has the hole..as i can find lots of php script and even folder can be injected into my public_html how they do that, and which part need to be checked? is that the upload part <enctype> or what?? thanks in advance Hi, I'm sure many of you heard of "pastebin", if not the short of it, is that you can submit your code (+100 languages), and you can display it to your friends via a link with syntax highlighting available. So, One way to store the code is surely in txt files, but I would really prefer to have it stored in a mysql database. My only concern is people trying to run a sql injection, so how do i get around all this? I don't want the user's content to be changed, but I don't want SQL injections either.. is this even possible at all? Any tips appreciated, also if you could think of another alternative than txt files and mysql. I'm learning functions and I'm working on a rating script. This is a small test script that works, you can try it out yourself: <?php // Rating System function while_test (){ $a = 1; $b = 4; $t_id = 1; global $likes; global $dislikes; global $con_id; while ($a++ <= $b){ echo "<center>"; echo "<table><tr><td>Table: </td></tr>"; echo "<tr><td>This is a table test </td></tr>"; echo "<tr><td><form action='' method='post'>"; echo "<button type='submit' name='likes' value='Y'>likes</button>"; echo "<button type='submit' name='dislikes' value='N'>dislikes</button>"; echo "<input type='hidden' name='hidden_id' value='" . $t_id . "' /></form></td></tr></table>"; echo "</center><br /><br />"; $t_id++; $likes = $_POST['likes']; $dislikes = $_POST['dislikes']; $con_id = $_POST['hidden_id']; } } while_test(); if ($likes) { echo "likes it: " . $likes . " con_id: " . $con_id; } elseif ($dislikes) { echo "dislikes it: " . $dislikes . " con_id: " . $con_id; } ?> I've gotten recommended before not use globals, because the projects would become unmanageable, and I'm wondering how would I be able to avoid using globals in this example? I'm able to in-ject variables through the parenthesis, but I'm not able to out-ject variables, if that makes sense. (?) At least it doesn't work for me. How would I use those three variables $likes, $dislikes and $con_id outside the function without setting them as globals, what would be good practice? 1 - I am using phpmailer to send an email to a people without defining the $headers = 'From:" , so the From section of the email is showing default server aekcom@xenon.sfdns.net , the email didn't go to Junk box, I am so happy. 2 - Then I apply $headers .= 'From: Pflik <admin@pflik.com>'; on the php mailer now. The email go to Junk box now. I am sad. My question : How do I change the default email server of my hosting aekcom@xenon.sfdns.net into admin@pflik.com ? If I can change it, then the email won't go to junk box anymore. Hello Everyone, I m making an attendance application. I have an issue with following code, Code: [Select] <?php session_start(); require_once("conf.php"); mysql_select_db('site'); $subjects=$_GET['sublen']; $username=$_SESSION['user']; for($i=1;$i<=$subjects;$i++) { $subject=$_GET[',Sub'.$i]; $query="INSERT INTO Subjects(id,Subjects,User,Classs) VALUES($i,'$subject','$username','F.Y.B.Sc')"; $true=mysql_query($query) or die("Cannot Store subjects".mysql_error()); } ?> <html> <head> <link href="../css/style.css" type="text/css" rel="stylesheet" /> <script type="text/javascript" src="../js/jquery.js"></script> </head> <body> <div id="main"> <div id="logo"> KiMi... </div> <div id="header"> <ul> <li><a href="index.html">Home</a></li> <li><a href="php/subjectsTable.php">Create Subjects</a></li> <li><a href="html/form.html">Contact Us</a></li> <li><a href="html/register.php">Register!</a></li> </ul> </div> <div id="nav"> </div> <div id="content"> <?php if($true) { echo "<div id='dynamicDiv'>"; echo "<div> Subjects stored Successfully!</div></br></br>"; $query="SELECT * FROM Subjects Where User='$username'"; $result=mysql_query($query) or die("Cannot Fetch Data"); echo "<table id='table'>"; echo "<tr><td> </td><td>Subjects</td><td>Class</td></tr>"; while($row=mysql_fetch_array($result)) { echo "<tr><td><input type='checkbox' name='box[]'/> </td>"; echo "<td>"; echo $row['Subjects']; echo "</td>"; echo "<td>"; echo $row['Classs']; echo "</td>"; echo "</tr>"; } echo "</table>"; echo "</div>"; } ?> </div> <div id="footer"> © Copyright Amit K. Goda 2011-2012 </div> </div> </body> </html> In the above code i m storing data into database which has been passed into $_GET array. The Code is this Quote <?php session_start(); require_once("conf.php"); mysql_select_db('site'); $subjects=$_GET['sublen']; $username=$_SESSION['user']; for($i=1;$i<=$subjects;$i++) { $subject=$_GET[',Sub'.$i]; $query="INSERT INTO Subjects(id,Subjects,User,Classs) VALUES($i,'$subject','$username','F.Y.B.Sc')"; $true=mysql_query($query) or die("Cannot Store subjects".mysql_error()); } ?> the data is stored but the issue is, since i have data coming in $_GET array when i reload my page the same data is stored again inmy database. So any suggesstions how can i avoid that??? Any Help will be highly appreciated I have a sorting functionality, the code is he <?php $select_category = $_REQUEST['sort_category']; $sort_date_var = $_REQUEST['sort_date']; $sort_submit = $_POST['sortSubmit']; // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); if (($select_category == 'All') || (!isset($select_category)) && (!isset($sort_date_var))) { // Retrieve the chosen category from MySQL $query = "SELECT * FROM con"; $data = mysqli_query($dbc, $query); //Loop through the array of data while ($row = mysqli_fetch_array($data)) { echo "<table class='knuffixTable'>"; // Display the score data echo "<tr><td class='knuffix_name'>"; echo "<strong>" . htmlentities($row['name']) . "</strong><br /></td></tr>"; echo "<tr><td class='knuffix_contribution'><pre>" . $row['contribution'] . "</pre><br /></td></tr>"; echo "<tr><td class='knuffix_categoryDate'>" . $row['category'] . " | " . date('M d, Y', strtotime($row['contributed_date'])) . " </td></tr>"; echo "</table>"; } mysqli_close($dbc); } elseif (isset($select_category) && !isset($sort_date_var)) { // Retrieve the chosen category from MySQL $query = "SELECT * FROM con WHERE category = '$select_category'"; $data = mysqli_query($dbc, $query) or die (mysqli_error($dbc)); //Loop through the array of data while ($row = mysqli_fetch_array($data)) { echo "<table class='knuffixTable'>"; // Display the score data echo "<tr><td class='knuffix_name'>"; echo "<strong>" . htmlentities($row['name']) . "</strong><br /></td></tr>"; echo "<tr><td class='knuffix_contribution'><pre>" . $row['contribution'] . "</pre><br /></td></tr>"; echo "<tr><td class='knuffix_categoryDate'>" . htmlentities($row['category']) . " | " . date('M d, Y', strtotime($row['contributed_date'])) . " </td></tr>"; echo "</table>"; } mysqli_close($dbc); } elseif (!isset($select_category) && isset($sort_date_var)) { // Retrieve the chosen category from MySQL $query = "SELECT * FROM con ORDER BY contributed_date $sort_date_var"; $data = mysqli_query($dbc, $query) or die (mysqli_error($dbc)); //Loop through the array of data while ($row = mysqli_fetch_array($data)) { echo "<table class='knuffixTable'>"; // Display the score data echo "<tr><td class='knuffix_name'>"; echo "<strong>" . htmlentities($row['name']) . "</strong><br /></td></tr>"; echo "<tr><td class='knuffix_contribution'><pre>" . $row['contribution'] . "</pre><br /></td></tr>"; echo "<tr><td class='knuffix_categoryDate'>" . htmlentities($row['category']) . " | " . date('M d, Y', strtotime($row['contributed_date'])) . " </td></tr>"; echo "</table>"; } mysqli_close($dbc); } elseif (isset($select_category) && isset($sort_date_var)) { // Retrieve the chosen category from MySQL $query = "SELECT * FROM con WHERE category = '$select_category' ORDER BY contributed_date $sort_date_var"; $data = mysqli_query($dbc, $query) or die (mysqli_error($dbc)); //Loop through the array of data while ($row = mysqli_fetch_array($data)) { echo "<table class='knuffixTable'>"; // Display the score data echo "<tr><td class='knuffix_name'>"; echo "<strong>" . htmlentities($row['name']) . "</strong><br /></td></tr>"; echo "<tr><td class='knuffix_contribution'><pre>" . $row['contribution'] . "</pre><br /></td></tr>"; echo "<tr><td class='knuffix_categoryDate'>" . htmlentities($row['category']) . " | " . date('M d, Y', strtotime($row['contributed_date'])) . " </td></tr>"; echo "</table>"; } mysqli_close($dbc); } ?> With this code I'm able to: - showcase every category by DEFAULT when someone comes to the page. - sort only by category, - sort only by date, - sort by category AND date, The problem is as you can see I have a lot of duplicate code, if I for example want to change the table that is being printed out, I have to change it on all of them. I'd like to ask how I could avoid this duplicate code. Can I for example just have the table ONE TIME at a separate place and then insert the REFERENCE _after_ the query in each if statement? Like this: if (($select_category == 'All') || (!isset($select_category)) && (!isset($sort_date_var))) { // Retrieve the chosen category from MySQL $query = "SELECT * FROM con"; $data = mysqli_query($dbc, $query); table_here(); } elseif (isset($select_category) && !isset($sort_date_var)) { // Retrieve the chosen category from MySQL $query = "SELECT * FROM con WHERE category = '$select_category'"; $data = mysqli_query($dbc, $query) or die (mysqli_error($dbc)); table_here(); } I'm just coding since 2 month so I don't know how do it, maybe I can do it with functions? I've tried doing it with functions, but I got an error since the function doesn't contain any query statement and only the table because it was trying to fetch. it looked like this: function table_here () { //Loop through the array of data while ($row = mysqli_fetch_array($data)) { echo "<table class='knuffixTable'>"; // Display the score data echo "<tr><td class='knuffix_name'>"; echo "<strong>" . htmlentities($row['name']) . "</strong><br /></td></tr>"; echo "<tr><td class='knuffix_contribution'><pre>" . $row['contribution'] . "</pre><br /></td></tr>"; echo "<tr><td class='knuffix_categoryDate'>" . $row['category'] . " | " . date('M d, Y', strtotime($row['contributed_date'])) . " </td></tr>"; echo "</table>"; } mysqli_close($dbc); } Array ( [0] => Virender Sehwag|||http://abc.xyz.com/Virender-Sehwag [1] => Sachin Tendulkar|||http://abc.xyz.com/Sachin-Tendulkar ) foreach($array as $arr) { $topics=explode ('|||', $array); echo '<li>' .'<a rel="nofollow" target="_new" href="'.$topics[1].'"><span class="title">'.html_entity_decode($topics[0], ENT_NOQUOTES, "UTF-8").'</span></a>|</li>'; How to avoid '|' for the last element of any aaray. Also if array contains only 1 element '|' should not appear. For eample, In the browser it should display as "Virender Sehwag | Sachin Tendulkar". If the array contains only 1 element then, In the browser it should display as Virender Sehwag if array contains 3 elements, Virender Sehwag | Sachin Tendulkar | someword I'm just looking for some tips here. I am developing and selling an eccommerce shopping cart software package, and it has been received very well from the early adopters. There's just one small problem that prevents the software from being a truly out-of-the-box solution: the include path. Not all users have access to their php.ini file, and it's not always a php.ini file anyway. So this is something the installation is unable to set for the customer. I'm using object-oriented PHP5 stuff, so I have a folder named "classes" with all the relevant stuff in there. I am unable to search for paths to the folder and hard-code those into source files (there are ajax calls and other fun stuff; hard to know the exact relation to the path). I guess I could use set_include_path on the top of a bunch of files, but that is a small performance hit (and totally inelegant code). I could put the folder path in the database somewhere and query for it (and cache it so it's not a performance hit). None of this stuff seems good. The path seems like the best solution. Unless you have better ideas.... Hello, I have a form that has a preview, before user can preview the form inputs he must login. If he is logedin, he can see preview and continue to editing form, but after user is finished with editing his values he is redirected to "preview" page for which he must be logged in. But the problem is that variables are "empty" after redirecting back to preview. $_POST['email'] is received from login.php $_SESSION['code'] is 5 digit code generated at start, it isn't important in this issue. Here's the code: preview.php Code: [Select] $id_user= 0; $code = $_SESSION['code']; $email = $_POST['email']; $_SESSION['email_login'] = $email; So now you can see that $email and $_SESSION['email_login'] are empty because when redirecting from "editing" to preview $_POST['email'] can't be found... ok here is my comment protection >< very basic and simple but i just got htmlentitied lol =[ how do i protect against that? Code: [Select] if (isset($_POST['submit'])) { $comment= trim(stripslashes(mysql_real_escape_string($_POST['comment']))); this is my registration protection, sql can still get though >< it doesnt work ? Code: [Select] $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['pass'] = trim(stripslashes(mysql_real_escape_string($_POST['pass']))); $_POST['username'] = trim(stripslashes(mysql_real_escape_string($_POST['username']))); } |
|||||||