0

I'm no php programmer, only site admin, I've recently adopted a site with web panel that causes sql injection when trying to post html code in TinyMCE, containing apostrophe.

Problematic html code;

img onmouseover="this.src='layout/gfx/wiecej1.png'

php code;

$edytuj = $_POST['edytuj'];

sql query;

if($edytuj) {
     $podstrony_id = $_POST['id'];
     $podstrony_id_kategorie = $_POST['id_kategorie'];
     $podstrony_id_moduly = $_POST['id_moduly'];
     $podstrony_tytul = $_POST['tytul'];
     $podstrony_szablon = $_POST['szablon'];
     $podstrony_tresc = $_POST['tresc'];
     $podstrony_aktywnosc = $_POST['aktywnosc'];

     $zapytanie = "UPDATE $tab_podstrony SET id_kategorie='$podstrony_id_kategorie', id_moduly='$podstrony_id_moduly', tytul='$podstrony_tytul', szablon='$podstrony_szablon', tresc='$podstron$
     $wynik = mysql_query($zapytanie);

Site uses php-cgi-5.4.39 and mysql-5.5 I don't have access to previous environment (where this panel worked fine), so I can't find out if it's configuration or code problem.

Machavity
  • 30,841
  • 27
  • 92
  • 100
djp
  • 1
  • 1

1 Answers1

0

Quick fix: you need to properly escape any strings you want to include in the query using mysql_real_escape_string().

Proper fix: switch to mysqli, as the mysql extension is deprecated, and either escape the strings with mysqli_real_escape_string(), or better use prepared statements.

Cristik
  • 30,989
  • 25
  • 91
  • 127
  • Or switch to [PDO](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 07 '15 at 19:26
  • And yet the OP is trying to handle SQL injection :) – Jay Blanchard May 07 '15 at 19:34
  • No, I'm saying the OP is asking about it and the programming differences between MySQLi and PDO are not far apart. – Jay Blanchard May 07 '15 at 19:37
  • [It isn't as simple as adding an `i`.](http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059) If you want SQL injection protection you have to change all of your queries to parametrized queries. There is quite a bit of work involved. Not to mention that MySQLi has had some issues. – Jay Blanchard May 07 '15 at 19:50
  • Thanks for all advices, I've forwarded them to dev. guys, as I know they're implementing pdo on this project. – djp Jun 03 '15 at 15:25