vb.org Archive - is this code safe from sql injections?

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - is this code safe from sql injections? (https://vborg.vbsupport.ru/showthread.php?t=98917)

harmor19

10-21-2005 03:23 AM

is this code safe from sql injections?

I am new to coding vbulletin so I don't know the functions as such.

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('p', array(

    'name' => TYPE_STR

    'email' => TYPE_STR,

    'text' => TYPE_NOHTML,

    'testid' => TYPE_INT

     ));



     $db->query_write("

    UPDATE " . TABLE_PREFIX . "testimonials SET

    name = '" . $db->escape_string($vbulletin->GPC['name']) . "',

    email = '" . $db->escape_string($vbulletin->GPC['email']) . "',

    text = '" . $db->escape_string($vbulletin->GPC['text']) . "',

    WHERE testid = " . $vbulletin->GPC['testid'] . "

    ");

Andreas

10-21-2005 03:36 AM

Yes it is safe from SQL injections.
However, you will get a compile error as there is a missing comma after the first TYPE_STR.
Furthermore, if you store data this way, you must make sure to run it through the parser or htmlspecialchars_uni() before displaying it - otherwise you open Cross Site Scripting (XSS) leaks.
If you don't need raw data in the table, you can store HTML safe strings by using data verification type TYPE_NOHTML instead.

harmor19

10-21-2005 03:55 AM

I am getting a sql error

Here's the php

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('p', array(

    'name' => TYPE_STR,

    'email' => TYPE_STR,

    'text' => TYPE_STR,

    'testid' => TYPE_INT

     ));



     $db->query_write("

    UPDATE " . TABLE_PREFIX . "testimonials SET

    name = '" . $db->escape_string($vbulletin->GPC['name']) . "',

    email = '" . $db->escape_string($vbulletin->GPC['email']) . "',

    text = '" . $db->escape_string($vbulletin->GPC['text']) . "',

    WHERE testid = " . $vbulletin->GPC['testid'] . "

    ");

Here's the sql error

Code:

UPDATE testimonials SET

    name = 'erg4ewg',

    email = 'ewgwgew',

    text = 'gewgewrg <b>egeg</b>',

    WHERE testid = 1;



MySQL Error  : You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE testid = 1' at line 5

Error Number : 1064

Andreas

10-21-2005 04:01 AM

The last comma (before WHERE) is wrong.

harmor19

10-21-2005 04:06 AM

Wow I can't believe I missed that.

I think I'm done with the editing, do I give it to you to review or just re-upload the zip and send out an update?

Alan @ CIT

10-21-2005 06:17 AM

Just re-upload the zip and send out an update.

harmor19

10-21-2005 06:49 AM

Thank you.

Please check it out https://vborg.vbsupport.ru/showthread.php?t=98906

All times are GMT. The time now is 07:18 PM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01091 seconds Memory Usage 1,737KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (2)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (7)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: