Profile Update Exploit

[LearningCoder]

a user exploited my game using a sql injection on the profile bit and this is the SQl on it

 

if(isset($_POST['Quote'])){

$result = mysql_query("UPDATE login SET quote='".$_POST['quote_box']."' WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'")

or die(mysql_error());

$sql = "SELECT * FROM login WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'";

$query = mysql_query($sql) or die(mysql_error());

$row = mysql_fetch_object($query);

$quote = htmlspecialchars($row->quote);

$priv = htmlspecialchars($row->priv);

$jb = htmlspecialchars($row->jb);

 

any idea how to sort it people? Its the Gangster Legends Script, just so you all know.

Edited January 24, 2012 by LearningCoder

[LearningCoder]

ok lol, do you know how to sort it pal?

[Ishraq]

Clean up the post variable more before you run it into the query.

[lucky3809]

I know you are learning coding, maybe you need to look up those function on php.net mres is not securing the user_id because it is numeric value.

[a_bertrand]

Clearly the piece:

$result = mysql_query("UPDATE login SET quote='".$_POST['quote_box']."'  WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") 
or die(mysql_error());

 

Is not secure and allows all kind of injections through the quote_box field. How so? Easy:

If I put an

hello', col2='admin

into it, you will actually end up with a query which will touch the quote column AND the col2 column as it will produce the following query:

UPDATE login SET quote='hello', col2='admin'  WHERE id='1'

 

to make it safer:

$result = mysql_query("UPDATE login SET quote='".mysql_real_escape_string($_POST['quote_box'])."'  WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") 
or die(mysql_error());

[LearningCoder]

Thanks a_bertrand it worked :D