-3

I got a MySQL Query I'm trying to run and I just can't work out how to fix it.

$sql="INSERT INTO ratings (epoch, ip, step, maxstep, threadid) VALUES
('."shell_exec(date             +%s.)".','.mysql_real_escape_string(inet_pton($_COOKIE[".id."])).','.$page.', '.$pagedecode[".numpages."].', '.$ourid.')'";

I know it's really bad :( Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING

Thanks Jamie

Jamie
  • 674
  • 1
  • 10
  • 30
  • `sql` isn't a valid PHP variable, it should be `$sql`. And why are you calling the shell command `date` -- PHP has built-in date functions that can do this. – Barmar Dec 24 '12 at 02:59
  • I had a $sql it's just I was having problems with indenting it so I removed the $ but then got it working and forgot to add it back – Jamie Dec 24 '12 at 03:03

1 Answers1

1
$sql = "INSERT INTO ratings (epoch, ip, step, maxstep, threadid) VALUES ('" . shell_exec(date +%s.) . "','" . mysql_real_escape_string(inet_pton($_COOKIE[id])). "','" . $page . "','".$pagedecode[numpages]."', '".$ourid."')'";

but the query is vulnerabe with SQL Injection. Please read the article below to learn how to prevent for it

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • Why is it open to SQL Injection? The only value that the person can alter or provide is the id in the cookie. Also still get a Parse error: syntax error, unexpected '%' in your code – Jamie Dec 24 '12 at 03:02
  • The argument to `shell_exec` needs to be quoted, and there shouldn't be a `.` in it. – Barmar Dec 24 '12 at 03:07
  • @JamieH - As you correctly point out, the id in the cookie can be altered on the client side. That is the definition of SQL injection. – Steve Dec 24 '12 at 03:21