-5

Possible Duplicate:
How to prevent SQL injection?

I would like to fix a SQL injection in appRain CMS: http://code.google.com/p/apprain-quickstart/downloads/list

If someone could help me out, in which php file to look and give me the right function, then it would be great.

I've tried to use mysql_real_escape_string, but i can not find the correct function where to use it.

exploit: http://www.securityfocus.com/archive/1/520911

OR: /profile/-1 union all select 1,2,3,version(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19

Thanks

Community
  • 1
  • 1
user1676106
  • 1

1 Answers1

0

Read the links you have given properly.

The solution to the problem is written in the link

1. Use the prepared statement class to fix the sql injection vulnerability & filter sql error requests. Set error(0) to prevent against information disclosure via exceptions or error reports.

2. Parse the input fields and restrict characters like () > < \ / etc to prevent against script inclusion. Parse also the vulnerable output sections were the script code is getting executed out of the module context.

To Make a prepared statement

$oDB=new PDO('..your connection.. ');
$hStmt=$oDB->prepare("select * from users where id=:id");
$hStmt->execute(array(':id',$userID));

Notice above that $userID is not combined with the SQL string therefore an SQL injection will not work on it.

Using mysqli_real_escape_string

Note that mysql_real_escape_string has been depreceated so instead I'll mention how to use mysqli_real_escape_string

$a= "'ABCD"; //will not work because of quotation

$a= $mysqli->real_escape_string($a);
   //Now this is the string with special chars escaped

For more information read

PDO How can I prevent SQL injection in PHP?

Escaping Strings http://php.net/manual/en/mysqli.real-escape-string.php

Community
  • 1
  • 1
cjds
  • 8,268
  • 10
  • 49
  • 84
  • This is not an answer, the resource you quote is linked in the question. The rest is comment material. – hakre Dec 16 '12 at 11:25
  • Fair enough. I edited it to describe how to do it. :-) Cheers – cjds Dec 16 '12 at 11:38
  • Not really necessary in my eyes, but have fun. Too much of the love maybe because this Q might be getting deleted soon. – hakre Dec 16 '12 at 11:40
  • Well, first of all, thanks for the quick response. Second of all, if you can't read the code well, like I can't, I don't see point in posting just to get some rep. I've tried for many days now, I just can't find the right function. "Leave the work to professionals". That was kind of a dumb thing to say, cause you can't get to pro level, without trying @hakre. Thanks to Carl, but in my opinon, filtering sql errors is not a working fix, because that is not a SQL error, that is a real working SQL injection, nothing to do with SQL errors. – user1676106 Dec 16 '12 at 12:00
  • @user1676106 SQL injection is not something you can fix, its just something to try to prevent. And both these methods will prevent it to a large degree. Filtering the string you provide to SQL seems the only option I have heard about so I'm not sure what you meant by "that is not a SQL error, that is a real working SQL injection, nothing to do with SQL errors." – cjds Dec 16 '12 at 12:05