Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page SOLVED! - sql injection testng / sql error handling
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 02-15-2009, 05:45 PM
Vaupell's Avatar
Vaupell Vaupell is offline
 
Join Date: Apr 2008
Location: Esbjerg, Denmark
Posts: 1,036
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default SOLVED! - sql injection testng / sql error handling
Was testing my input boxes if they are vunerable to sql injections,
so was looking for a testing guide..
but all use username and password as exsamples

so went ahead and just trying to add some normal html
with and without ''

without '' <br> saves in db as &lt;br&gt;
and with ' ' around it shows a SQL error,
basicly showing the entire Insert into query line and content.

so need to work on some error handling
Wanted to lookup some articles on vbulletin sql error handling
but cant find any maybe im using wrong search words..

any suggestions ?
Reply With Quote
  #2  
Old 02-15-2009, 05:55 PM
bananalive bananalive is offline
 
Join Date: Oct 2007
Location: UK
Posts: 2,802
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
<a href="https://vborg.vbsupport.ru/showthread.php?t=154411" target="_blank">Create Secure Mods</a>
Reply With Quote
  #3  
Old 02-15-2009, 06:07 PM
Vaupell's Avatar
Vaupell Vaupell is offline
 
Join Date: Apr 2008
Location: Esbjerg, Denmark
Posts: 1,036
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by bananalive View Post
yeah well, allready got that covered, does not exclude the error display on sql error.

was looking for something more along the lines of error handling as we
would in C#,

On error goto (link to error handling)

ALL userimput i get from the template i handle like this
PHP Code:
$vbulletin->input->clean_array_gpc('p', array(
'Rtitle'             => TYPE_STR,

    $Rtitle =& htmlspecialchars_uni($vbulletin->GPC['Rtitle']); 
would you still be using $db->escape_string( for each insert in the db ?

inserting into db like this


Exsample
PHP Code:
$db->query_write("INSERT IGNORE 
                 INTO ".TABLE_PREFIX."mytesttable 
                 (RID, Rtitle, Rdesc) 
                 VALUES ('', '".$Rtitle."', '".$Rdesc."')
                  "); 
Reply With Quote
  #4  
Old 02-15-2009, 06:09 PM
Ted S Ted S is offline
 
Join Date: Dec 2003
Location: SoCal
Posts: 3,954
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Vaupell View Post
would you still be using $db->escape_string( for each insert in the db ?
Yes.

htmlspecialchars_uni is an output control and won't help prevent mysql errors from unescaped strings.
Reply With Quote
  #5  
Old 02-15-2009, 06:20 PM
Vaupell's Avatar
Vaupell Vaupell is offline
 
Join Date: Apr 2008
Location: Esbjerg, Denmark
Posts: 1,036
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Ted S View Post
Yes.

htmlspecialchars_uni is an output control and won't help prevent mysql errors from unescaped strings.
omg, hehe thats alot of rewriting


okay got it working proberly including exspace_string on each var.. haha.. TX AGAIN!
Reply With Quote
  #6  
Old 02-16-2009, 04:55 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If you are still using htmlspecialchars() before input into the database, you shouldn't be. As mentioned above, it is output control, and should only be used when displaying the data.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 01:16 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05925 seconds
  • Memory Usage 2,214KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete