vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   sql injection through address bar. (https://vborg.vbsupport.ru/showthread.php?t=100595)

harmor19 11-11-2005 04:37 PM
sql injection through address bar.
 
I am reading this article on security and it mentions something about passing data through the address bar.

If I had
PHP Code:
UPDATE $table SET ReadCount ReadCount 1 WHERE MessageID $MID
I could pass this through the address bar
PHP Code:
mypage.php?table=admin SET Password 'foo';
I noticed that I have this in my own script
PHP Code:
$query="UPDATE rpg_character 
     SET 
     move_v = '$move_v', 
     move_h ='$move_h'
     WHERE characterid='".$rpg['characterid']."'";
     mysql_query($query); 
So I wanted to test it but it doesn't work.
PHP Code:
rpg_index.php?move_v='60' WHERE characterid '1'
Here's the article http://www.hudzilla.org/phpbook/read.php/17_1_1

I am guessing that browsers recognize the "#" character.

The Geek 11-11-2005 04:39 PM
it would only work if a variable of the same name existed, was used in a query string, and was not previously cleansed.

In a nutshell, it CAN happen - but its rare and really only through irresponsible coding or a complete oversight.

BTW: It couldnt happen the way you are trying to do it anyway. Why exactly are you posting this anyway? This is 'hacking' fodder which kind of concerns me.

harmor19 11-11-2005 04:46 PM
I don't plan on hacking anyone's site, I just wanted more insight about sql injection to protect myself.

The Geek 11-11-2005 04:55 PM
Here is a little information on protecting yourself from injections with vb however it looks a bit dated (globalize isnt used as such anymore)

https://vborg.vbsupport.ru/showthrea...ight=injection

HTHs

harmor19 11-11-2005 06:41 PM
Thank you.

This is offtopic
I have four button "up, down, right, left"
When a button is pressed it adds or substracts from the value and re-inserts into the database.

PHP Code:
if (isset($_POST['up']))
    {
      $move_v $rpg['move_v'] + 10;
    }
    elseif (isset($_POST['down']))
    {
       $move_v $rpg['move_v'] - 10
    }  
    else
   {    
      $move_v $rpg['move_v'];   
    }
      //code for left and right buttons here ($move_h)

$query "UPDATE rpg_character 
     SET 
     move_v = '$move_v', 
     move_h ='$move_h'
     WHERE characterid='".$rpg['characterid']."'";
     mysql_query($query); 
What I'm doing is using the php image function and on that script I'm getting the vertical ($move_h) and the horizontal ($move_h) positions.
It'll place and image according to those coordinates.

So my question is if I have a lot of people playing at the same time will it bog down the server?

Marco van Herwaarden 11-11-2005 06:53 PM
Well it for sure could get wrong results (there is a little time between calculating and submitting the query). I suggest somehting like the following:

PHP Code:
$move = array();
if (isset($_POST['up']))
{
  $move[] = "move_v = move_v + 10";
    } 
    elseif (isset($_POST['down'])) 
    { 
       $move[] = "move_v = move_v - 10";
    }   

if ($move)
{
  $move_sql implode(", "$move);
$query "UPDATE rpg_character  
     SET  
     $move_sql
     WHERE characterid='".$rpg['characterid']."'"
     mysql_query($query);  

Just typed it here, so not tested and probably made a typo somewhere, but you get the idea.

You can add the code to add to the $move array for horizontal yourself.

harmor19 11-11-2005 09:39 PM
I did the mktime on my script using my way and your way and they're both pretty much the same.

For my way I get "0.00130414962769" seconds
For your way I get "0.00123000144958" seconds
I'll use your way since it looks more complex.

I have anoher offtopic question

How can I pass a variable to a script without loading the script I'm sending it to?
Instead of doing this...
Code:
<form action='somescript.php' method='post>
Then on somescript.php I would use $_POST['var']
But I would like to send $_POST['var'] to somescript.php with the browser redirecting to somescript.php?
I know it sounds weird but I may have an use for it.


All times are GMT. The time now is 07:03 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01072 seconds
  • Memory Usage 1,747KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (6)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete