SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Dec 2011
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HOW TO FIX THIS BUG?

    Category BUG: SQL Injection

    $sql = "SELECT * FROM table WHERE field ='$_GET[\"input\"]'";

    $sql = "SELECT * FROM table WHERE field =" . $_GET["input"];

    mysql_query("SELECT SomeStoredProcName('$_GET[\"input\"])'");

    mysql_query("SELECT SomeStoredProcName( '" . $_GET["input"] . "') ");

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Don't be using $_GET or user input directly in SQL statements.
    User inputed needs to be filtered validated and doubled checked.
    Never trust anything.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Member
    Join Date
    Dec 2011
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HOW TO FIX IT?

    Category: SQL Injection

    $sql = "SELECT * FROM table WHERE field = '$_GET[input_zero]'";
    $stmt = odbc_prepare($conn, $sql);

  4. #4
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    4,904
    Mentioned
    93 Post(s)
    Tagged
    0 Thread(s)
    Two threads merged
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  5. #5
    SitePoint Evangelist
    Join Date
    Jun 2007
    Location
    North Yorkshire, UK
    Posts
    483
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have a look at https://www.owasp.org/index.php/Top_10_2010-A1

    Always quote the input before using it in a where statement.

    Remove any null characters (character code 0).

    If the field you are searching against in the where clause is a numeric then strip out any non numeric characters from the input.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •