LearningCoder Posted January 24, 2012 Share Posted January 24, 2012 (edited) a user exploited my game using a sql injection on the profile bit and this is the SQl on it if(isset($_POST['Quote'])){ $result = mysql_query("UPDATE login SET quote='".$_POST['quote_box']."' WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") or die(mysql_error()); $sql = "SELECT * FROM login WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'"; $query = mysql_query($sql) or die(mysql_error()); $row = mysql_fetch_object($query); $quote = htmlspecialchars($row->quote); $priv = htmlspecialchars($row->priv); $jb = htmlspecialchars($row->jb); any idea how to sort it people? Its the Gangster Legends Script, just so you all know. Edited January 24, 2012 by LearningCoder Quote Link to comment Share on other sites More sharing options...
LearningCoder Posted January 24, 2012 Author Share Posted January 24, 2012 ok lol, do you know how to sort it pal? Quote Link to comment Share on other sites More sharing options...
Ishraq Posted January 24, 2012 Share Posted January 24, 2012 Clean up the post variable more before you run it into the query. Quote Link to comment Share on other sites More sharing options...
lucky3809 Posted January 25, 2012 Share Posted January 25, 2012 I know you are learning coding, maybe you need to look up those function on php.net mres is not securing the user_id because it is numeric value. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted January 25, 2012 Share Posted January 25, 2012 Clearly the piece: $result = mysql_query("UPDATE login SET quote='".$_POST['quote_box']."' WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") or die(mysql_error()); Is not secure and allows all kind of injections through the quote_box field. How so? Easy: If I put an hello', col2='admin into it, you will actually end up with a query which will touch the quote column AND the col2 column as it will produce the following query: UPDATE login SET quote='hello', col2='admin' WHERE id='1' to make it safer: $result = mysql_query("UPDATE login SET quote='".mysql_real_escape_string($_POST['quote_box'])."' WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
LearningCoder Posted January 25, 2012 Author Share Posted January 25, 2012 Thanks a_bertrand it worked :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.