How to fix SQL injection

[awal]

Hello

I have PHP script but I found 18 SQL injection in one file only

How I fix this problems?

Thank you

 

[nasaboy007]

use the function mysql_real_escape_string() around EVERY variable you pass into mysql_query(), especially if it's a user-input (like $_POST or $_GET)

 

[awal]

use the function mysql_real_escape_string() around EVERY variable you pass into mysql_query(), especially if it's a user-input (like $_POST or $_GET)

Please I need example:

I try with this one

$rs_query=mysql_query("Select * from sbwmd_categories where id=" . $category );

I change it to:

$rs_query=mysql_query("Select * from sbwmd_categories where id=" . mysql_real_escape_string($category) );

but still not wroking

Thank you

 

[Peter]

in what way is it not working?

the function used does stop tainting the database.

 

[awal]

in what way is it not working?

the function used does stop tainting the database.

Still the same problem and I get more SQL injection after I cahnge for example:

$rs_query=mysql_query("Select * from sbwmd_categories where id=" . mysql_real_escape_string($cid) )

;

$rs_query=mysql_query("Select * from sbwmd_categories where id=" . mysql_real_escape_string($rs["pid"]) );

$rst1_query=mysql_query("Select * from sbwmd_categories where pid IN (" . mysql_real_escape_string($clist) . ") and id not in ( ". mysql_real_escape_string($clist) . ")") ;

I think I dont know how to do it.

 

[xrvel]

Is "ID" always an integer?
If so, please filter it this way, maybe not the most secure, but i believe this one is secure.

$id = $_GET['category'];// for example

// Remove non numeric
$id = preg_replace('/([^0-9]+)/', '', $id);

// Intval'ed it
$id = intval($id);

// Use it for query, etc

 

[Jim_]

How are you testing these SQL injection holes? Just curious.

 

[awal]

How are you testing these SQL injection holes? Just curious.

Acunetix Web Vulnerability Scanner 5
http://www.acunetix.com/

 

[Jim_]

It's possible that the software is getting a false positive and not recognizing that sanitation function. I would hand-test each sql injection it finds to see if they're actually still vulnerable.

 

[enlytend]

It's possible that the software is getting a false positive and not recognizing that sanitation function.

I was wondering that myself - especially if you're using the free version.

I found an article on their site about using addslashes/stripslashes to prevent SQL injection attacks. That is an older way of doing it (don't use it - mysql_real_escape_string is more robust) and it's probably an old article, but the free version of their software may not be up-to-date and could be looking for something like that.

 

[xrvel]

Acunetix Web Vulnerability Scanner 5
http://www.acunetix.com/

I agree with false positive alarm.
However, if you still believe there is a hole in your script, make sure you filter every variable which is related to the SQL query.

For example, if a variable is supposed to be a numeric, remove all non numeric characters.
If a variable is supposed to be alpha numeric, remove all non alphanumeric characters.

Do this with regular expression. :imho:

Good luck :tu:

 

[awal]

Thank you for your help

I run my website and hope nothing happend in the future