Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Sep 2009
    Posts
    40
    Thanks
    3
    Thanked 0 Times in 0 Posts

    How to Fix sql injection & Blind sql injection

    Hello every one
    I have problem on my website when use (Acunetix Web Vulnerability Scanner) and show to me sql injection and blind sql injection on my website in page showcontent.php in id. Here is the page and want to fix them as soon as possible.
    showcontent.php
    PHP Code:

    <center>

                      <?php
    include 'admin/config.php';
    include 
    'admin/opendb.php';
    ?>
     <marquee scrollamount="5" bgcolor="orange" onmouseover="this.scrollAmount=0" onmouseout="this.scrollAmount=4" direction="right">
     <?php
     
    $query
    =mysql_query("SELECT * FROM arabic_news order by ID");
    $names = array();
    while(
    $row mysql_fetch_object($query)) {  
       echo 
    "<font size=4>";
       
    $names[] = "<a href='showcontent.php?id=".$row->ID."'>".$row->title."</a>";
       echo 
    "&nbsp;&nbsp;&nbsp;";
       
    }
    echo 
    implode("*****"$names);
    echo 
    "</font>";
       
    ?>
        </marquee>

      
      
                         
                          <?php

    include 'admin/closedb.php';  
     
    ?>

     
                      
    </center>

    <center>

                      <?php
    include 'admin/config.php';
    include 
    'admin/opendb.php';
    $id$_GET['id'];
    $result mysql_query("SELECT * FROM arabic_news where ID=$id");
    while(
    $row mysql_fetch_array($result)) {
    ?>
    <center>
    <img src="admin/uploads/<?php echo $row['image'];?>" width=400>
    <table border="0" dir="rtl">

      <tr>
    <td align="right">عنوان الخبر :</td>
        <td align="right">
          <font size="4"><?php echo $row['title'];?> </font>
        </td>


      </tr>
     
      <tr>
    <td>محتوي الخبر :</td>
        <td><font size="4"><?php echo $row['content'];?></font>
        </td>

      </tr>
      

      <tr>
    <td>التاريخ :</td>
        <td><div class="demo" >
        <font size="4"><?php echo $row['date'];?></font>
        </div>
        </td>

        
      </tr>

              
    </table>
    </center>


     <?php
    }
    ?>
                      
                     
                   
    </center>
    Thanks in Advance

  • #2
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    The mysql_ extension is vulnerable and out of date. Instead, you should use either the mysqli_ extension or a PHP Data Object (PDO).

    Here is an example of PDO in use:
    PHP Code:
    //Connect to DB
    $DBH = new PDO("mysql:host=$dbHost;dbname=$dbName"$dbUser$dbPass); 
    //Prepare a query, this is where you send the whole query EXCEPT the data to the DB, ahead of time
    $STH $DBH->prepare("SELECT * FROM arabic_news WHERE id = :id");
    //Bind the data to the DB...the placeholder in the original prepared query is now replaced with real data
    $STH->bindParam(':id'$id); 
    //Execute the query
    $STH->execute();
    //Retrieve the results
    while($row $STH->fetch(PDO::FETCH_ASSOC))
    {
    //Do Stuff

    Here is a more in-depth PDO tutorial: http://net.tutsplus.com/tutorials/ph...tabase-access/

    HTH
    Dan
    Last edited by whizard; 07-08-2013 at 01:11 PM.
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • Users who have thanked whizard for this post:

    hassanab (07-08-2013)

  • #3
    New Coder
    Join Date
    Sep 2009
    Posts
    40
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Thank you very much. but I have a question is php PDO and mysqli solve sql injection and blind sql injection? and want more info about mysqli.
    Thanks in Advance

  • #4
    Regular Coder
    Join Date
    Sep 2002
    Posts
    456
    Thanks
    0
    Thanked 20 Times in 20 Posts
    wouldn't it just be easier to check the id to make sure it's an integer and check against character use like ';'. From what I read most attacks use simple characters like ';' '=' where the semi-colon is used to connect various commands and the equal signs are used for system attacks.
    NO Limits!! DHCreationStation.com
    ------------------------------------------------------------
    Broken items wanted for tinkerin'! PostItNow@BrokenEquipment.com
    Global Complaint Dept.

  • #5
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    mysql_ is deprecated in PHP 5.5 and scheduled for removal in 6.0

    Dan
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • #6
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    I don't think it would be easier, actually...PDO is extremely simple. Even if it was, the easiest thing to do isn't always the best thing, especially when people are trusting you and your site with their information. People doing the easy thing is what leads to sites getting hacked.

    Dan
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • #7
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,640
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by hassanab View Post
    I have a question is php PDO and mysqli solve sql injection and blind sql injection?
    They do if you abandon using _query() and instead use _prepare() and _bind() which keep the SQL and data in completely separate commands making injection impossible.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    hassanab (07-09-2013)

  • #8
    New Coder
    Join Date
    Sep 2009
    Posts
    40
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Thanks every one
    Now it is clear to me that I should upgrade to PDO or mysqli.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •