Tryptamine Posted October 3, 2011 Share Posted October 3, 2011 Hello all, I'm attempting to secure a script to prevent against SQL Injections. But for some reason the code I'm using is not correctly escaping malicious characters. Here's a section of the code I'm using (the beginning) that first pulls the data from the database: include 'include/dbconnect.php'; include 'include/funcs.php'; if (isset($_GET['gid'])) { $galleryid = cleanvar($_GET['gid']); $sql = "select * from galleries where id = $galleryid"; $result = mysql_query($sql) or die(mysql_error()); if ($row = mysql_fetch_assoc($result)) { $galleryid = $row['id']; $gallerytitle = $row['title']; the cleanvar function is located in funcs.php, and this is what it looks like: function cleanvar ($var) { return stripslashes(mysql_real_escape_string($var)); } magic_quotes_gpc is on, so that is why I added stripslashes, but for some reason whenever I go to the script and attempt to inject into it with a single or double quote, I still get a syntax error, enabling me to successfully inject. Any ideas? Thanks in advance! Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 3, 2011 Share Posted October 3, 2011 You should have a switch in your code to check if magic quotes are turned on before utilizing strip_slashes. But, in any event you should run strip_slashes before you run mysql_real_escape_string(). Although I would suggest using a function that automatically removes any modification due to magic quotes on all input (see the manual), try this function cleanvar ($var) { if (get_magic_quotes_gpc()) { $var = stripslashes($var); } return mysql_real_escape_string($var); } Also, why are you using mysql_real_escape_string() on an "id" field? If that's an id field I would expect it is an integer value. mysql_real_escape_string() is meant for string input. SO, you should validate/force the value to be an integer. One option is to cast the value as an integer $galleryid = (int) $_GET['gid']; Or use the intval() function Quote Link to comment Share on other sites More sharing options...
Tryptamine Posted October 3, 2011 Author Share Posted October 3, 2011 Thanks for the quick reply, I tried the new function, but still got the same error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 Also that's a good point about the int value, I will try that next. Quote Link to comment Share on other sites More sharing options...
Tryptamine Posted October 3, 2011 Author Share Posted October 3, 2011 Sorry for double posting but, Oh my god thank you, the forcing the interger value worked. I've been struggling with this for several hours. THANK YOU so much. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.