vb.org Archive - SOLVED! - sql injection testng / sql error handling

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)

- - SOLVED! - sql injection testng / sql error handling (https://vborg.vbsupport.ru/showthread.php?t=205472)

Vaupell

02-15-2009 05:45 PM

SOLVED! - sql injection testng / sql error handling

Was testing my input boxes if they are vunerable to sql injections,
so was looking for a testing guide..
but all use username and password as exsamples

so went ahead and just trying to add some normal html
with and without ''

without '' <br> saves in db as <br>
and with ' ' around it shows a SQL error,
basicly showing the entire Insert into query line and content.

so need to work on some error handling
Wanted to lookup some articles on vbulletin sql error handling
but cant find any maybe im using wrong search words..

any suggestions ?

bananalive

02-15-2009 05:55 PM

<a href="https://vborg.vbsupport.ru/showthread.php?t=154411" target="_blank">Create Secure Mods</a>

Vaupell

02-15-2009 06:07 PM

Quote:

Originally Posted by bananalive (Post 1745136)

Create Secure Mods

yeah well, allready got that covered, does not exclude the error display on sql error.

was looking for something more along the lines of error handling as we
would in C#,

On error goto (link to error handling)

ALL userimput i get from the template i handle like this

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('p', array(

'Rtitle'             => TYPE_STR,



    $Rtitle =& htmlspecialchars_uni($vbulletin->GPC['Rtitle']);

would you still be using $db->escape_string( for each insert in the db ?

inserting into db like this

Exsample

PHP Code:


		
			
$db->query_write("INSERT IGNORE 

                 INTO ".TABLE_PREFIX."mytesttable 

                 (RID, Rtitle, Rdesc) 

                 VALUES ('', '".$Rtitle."', '".$Rdesc."')

                  ");

Ted S

02-15-2009 06:09 PM

Quote:

Originally Posted by Vaupell (Post 1745154)

would you still be using $db->escape_string( for each insert in the db ?

Yes.

htmlspecialchars_uni is an output control and won't help prevent mysql errors from unescaped strings.

Vaupell

02-15-2009 06:20 PM

Quote:

Originally Posted by Ted S (Post 1745155)

Yes.

htmlspecialchars_uni is an output control and won't help prevent mysql errors from unescaped strings.

omg, hehe thats alot of rewriting :p

okay got it working proberly including exspace_string on each var.. haha.. TX AGAIN!

Dismounted

02-16-2009 04:55 AM

If you are still using htmlspecialchars() before input into the database, you shouldn't be. As mentioned above, it is output control, and should only be used when displaying the data.

All times are GMT. The time now is 06:19 AM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01467 seconds Memory Usage 1,728KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_php_printable (3)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: