sql injection through address bar.

[harmor19]

I am reading this article on security and it mentions something about passing data through the address bar.

If I had

PHP Code:

UPDATE $table SET ReadCount = ReadCount + 1 WHERE MessageID = $MID; 


I could pass this through the address bar

PHP Code:

mypage.php?table=admin SET Password = 'foo';# 


I noticed that I have this in my own script

PHP Code:

$query="UPDATE rpg_character 
     SET 
     move_v = '$move_v', 
     move_h ='$move_h'
     WHERE characterid='".$rpg['characterid']."'";
     mysql_query($query); 


So I wanted to test it but it doesn't work.

PHP Code:

rpg_index.php?move_v='60' WHERE characterid = '1'; # 


Here's the article http://www.hudzilla.org/phpbook/read.php/17_1_1

I am guessing that browsers recognize the "#" character.

[The Geek]

it would only work if a variable of the same name existed, was used in a query string, and was not previously cleansed.

In a nutshell, it CAN happen - but its rare and really only through irresponsible coding or a complete oversight.

BTW: It couldnt happen the way you are trying to do it anyway. Why exactly are you posting this anyway? This is 'hacking' fodder which kind of concerns me.

[harmor19]

I don't plan on hacking anyone's site, I just wanted more insight about sql injection to protect myself.

[The Geek]

Here is a little information on protecting yourself from injections with vb however it looks a bit dated (globalize isnt used as such anymore)

https://vborg.vbsupport.ru/showthrea...ight=injection

HTHs

[harmor19]

Thank you.

This is offtopic
I have four button "up, down, right, left"
When a button is pressed it adds or substracts from the value and re-inserts into the database.

PHP Code:

if (isset($_POST['up']))
    {
      $move_v = $rpg['move_v'] + 10;
    }
    elseif (isset($_POST['down']))
    {
       $move_v = $rpg['move_v'] - 10; 
    }  
    else
   {    
      $move_v = $rpg['move_v'];   
    }
      //code for left and right buttons here ($move_h)

$query = "UPDATE rpg_character 
     SET 
     move_v = '$move_v', 
     move_h ='$move_h'
     WHERE characterid='".$rpg['characterid']."'";
     mysql_query($query); 


What I'm doing is using the php image function and on that script I'm getting the vertical ($move_h) and the horizontal ($move_h) positions.
It'll place and image according to those coordinates.

So my question is if I have a lot of people playing at the same time will it bog down the server?

[Marco van Herwaarden]

Well it for sure could get wrong results (there is a little time between calculating and submitting the query). I suggest somehting like the following:

PHP Code:

$move = array();
if (isset($_POST['up']))
{
  $move[] = "move_v = move_v + 10";
    } 
    elseif (isset($_POST['down'])) 
    { 
       $move[] = "move_v = move_v - 10";
    }   

if ($move)
{
  $move_sql = implode(", ", $move);
$query = "UPDATE rpg_character  
     SET  
     $move_sql
     WHERE characterid='".$rpg['characterid']."'"; 
     mysql_query($query);  
} 


Just typed it here, so not tested and probably made a typo somewhere, but you get the idea.

You can add the code to add to the $move array for horizontal yourself.

[harmor19]

I did the mktime on my script using my way and your way and they're both pretty much the same.

For my way I get "0.00130414962769" seconds
For your way I get "0.00123000144958" seconds
I'll use your way since it looks more complex.

I have anoher offtopic question

How can I pass a variable to a script without loading the script I'm sending it to?
Instead of doing this...

Code:

<form action='somescript.php' method='post>

Then on somescript.php I would use $_POST['var']
But I would like to send $_POST['var'] to somescript.php with the browser redirecting to somescript.php?
I know it sounds weird but I may have an use for it.