Log in

View Full Version : is this code safe from sql injections?

harmor19
10-21-2005, 03:23 AM
I am new to coding vbulletin so I don't know the functions as such.

$vbulletin->input->clean_array_gpc('p', array(
'name' => TYPE_STR
'email' => TYPE_STR,
'text' => TYPE_NOHTML,
'testid' => TYPE_INT
));

$db->query_write("
UPDATE " . TABLE_PREFIX . "testimonials SET
name = '" . $db->escape_string($vbulletin->GPC['name']) . "',
email = '" . $db->escape_string($vbulletin->GPC['email']) . "',
text = '" . $db->escape_string($vbulletin->GPC['text']) . "',
WHERE testid = " . $vbulletin->GPC['testid'] . "
");
Andreas
10-21-2005, 03:36 AM
Yes it is safe from SQL injections.
However, you will get a compile error as there is a missing comma after the first TYPE_STR.
Furthermore, if you store data this way, you must make sure to run it through the parser or htmlspecialchars_uni() before displaying it - otherwise you open Cross Site Scripting (XSS) leaks.
If you don't need raw data in the table, you can store HTML safe strings by using data verification type TYPE_NOHTML instead.
harmor19
10-21-2005, 03:55 AM
I am getting a sql error

Here's the php
$vbulletin->input->clean_array_gpc('p', array(
'name' => TYPE_STR,
'email' => TYPE_STR,
'text' => TYPE_STR,
'testid' => TYPE_INT
));

$db->query_write("
UPDATE " . TABLE_PREFIX . "testimonials SET
name = '" . $db->escape_string($vbulletin->GPC['name']) . "',
email = '" . $db->escape_string($vbulletin->GPC['email']) . "',
text = '" . $db->escape_string($vbulletin->GPC['text']) . "',
WHERE testid = " . $vbulletin->GPC['testid'] . "
");

Here's the sql error
UPDATE testimonials SET
name = 'erg4ewg',
email = 'ewgwgew',
text = 'gewgewrg <b>egeg</b>',
WHERE testid = 1;

MySQL Error : You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE testid = 1' at line 5
Error Number : 1064
Andreas
10-21-2005, 04:01 AM
The last comma (before WHERE) is wrong.
harmor19
10-21-2005, 04:06 AM
Wow I can't believe I missed that.

I think I'm done with the editing, do I give it to you to review or just re-upload the zip and send out an update?
Alan @ CIT
10-21-2005, 06:17 AM
Just re-upload the zip and send out an update.
harmor19
10-21-2005, 06:49 AM
Thank you.

Please check it out https://vborg.vbsupport.ru/showthread.php?t=98906