-1

I've got a problem. As soon as I enter this little f****r --> ' <-- in my textarea which are sent to a database via AJAX, it stops working. So if I for example enter:

I am a little gnome and I'm glad to meet you. Hug me!

The database will only receive:

I am a little gnome and I

So.. Can I limit all textareas on the page to like A-Z + ÅÄÖ + . , + other regularly used characters which don't ruin my stuff? I am using onchange for the AJAX request, and another eventlistener for keyup to make it work on Safari, if that's of any importance to anyone!

SQL-injection vulnerability, got it. I'm scared, and have stuff to do. Thanks for all answers thus far.

Algernop K.
  • 477
  • 2
  • 19
  • We need some code. You should be able to send apostrophes without problems, but it's tough to debug without seeing what you've got so far. – Richard Theobald Jan 08 '16 at 00:42
  • 7
    You'd be **much** better off fixing your server-side database code. Sounds like you've got a serious SQL injection vulnerability. – Pointy Jan 08 '16 at 00:42
  • @Pointy I know I do, but this will never be used in any real cases. So it's and SQL thing? :/ – Algernop K. Jan 08 '16 at 00:43
  • Try changing `var radioValue = PassedComment.value` to `var radioValue = $(PassedComment).serialize()`. The problem might also be with your php script, but I'm guessing it's an encoding issue. – Richard Theobald Jan 08 '16 at 00:44
  • 3
    It is a misuse of SQL from PHP thing (a.k.a. SQL injection vulnerability). [Bobby Tables](http://bobby-tables.com) hits again! We'd need the bit of code where you are constructing your SQL query - that's where the problem lies. – Amadan Jan 08 '16 at 00:45
  • Yes. You're forming the SQL to update the database without sanitizing the content first, either by using a prepared statement (the right way) or doing it textually (the questionable way). – Pointy Jan 08 '16 at 00:47
  • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent – epascarello Jan 08 '16 at 00:51
  • @epascarello: No no no no. It has nothing to do with URI. And even if `encodeURIComponent` escaped values in a way that was sensible for MySQL, you would still be vulnerable to people hand-crafting clientside requests. Escaping needs to be done on the serverside. – Amadan Jan 08 '16 at 00:52
  • OP still needs to use it... Throw a & into it and BAM, another issue besides the SQL Injection. – epascarello Jan 08 '16 at 00:53
  • @epascarello: You're right, I didn't even notice, I assumed he was using `$.ajax` `data`... which is a better idea than manually messing with `encodeURIComponent`, I'd say, since you're using jQuery anyway. – Amadan Jan 08 '16 at 00:57

1 Answers1

2

Note

I can see you're starting out, and it's great! You've always gotta find a bug to learn new stuff, and you're learning about SQL Injections now. If I could suggest something, you'd be best to start at PHP The Right Way, it'll help you a truckload.

You're PHP script (that inserts this data into a database) is not sanitized correctly.

We can't do much without seeing your associated code. But I take it you're using mysql_*/mysqli_* functions? We'll the former one is deprecated and removed as of PHP7!

You should start learning either of the following two prepared statement types:

From what I assume, you want to escape the string:

$data = mysql_real_escape_string($_POST['data']);

Although, there are still ways around the above escape; your database can still be hacked via SQL Injection, which is not what you want.

As noted by Armadan, to back up my statement above, mysql_real_escape_string() is still by-passable in certain cases, read these:

Taking the code you've supplied, you'd use prepare() and execute():

if(isset($_GET['comment1'])) {
    if($mysqli = connect_db()) {
        $insertcomment1 = $_GET['comment1'];
        $stmt = $mysqli->prepare("UPDATE result SET c1=?");
        if ( false===$stmt ) {
            die('prepare() failed: ' . htmlspecialchars($mysqli->error));
        }
        $stmt->bind_param('s', $insertcomment1);
        // execute
        if(!$stmt->execute()){
             die('execute() failed: ' . htmlspecialchars($mysqli->error));
        }
        // handle the rest here.
    }
}

You'd be doing something like the above. You're best to read up on the following in relation to prepared statements using MySQLi:

Community
  • 1
  • 1
Darren
  • 13,050
  • 4
  • 41
  • 79
  • 2
    @Amadan [Read this](http://stackoverflow.com/a/12118602/2518525) or [this](http://blackburnmoonlit.blogspot.com.au/2012/01/bypassing-mysqlescapestring-while-sql.html) – Darren Jan 08 '16 at 00:52
  • I added a bit of code from the php file. Again, this site will never really see the light of day, but could be good to know for future reference anyway. How would I make this code safe (see edit)? – Algernop K. Jan 08 '16 at 00:56
  • @JohnSmith please see the updated answer. – Darren Jan 08 '16 at 01:03
  • 1
    Ohhh boy, I've got some reading up to do.. Thank you very much Darren. – Algernop K. Jan 08 '16 at 01:11
  • @JohnSmith You'll be right mate, just keep pushing through and asking away! Only way to learn is from your own mistakes! – Darren Jan 08 '16 at 01:13