Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 10-21-2005, 03:23 AM
harmor19 harmor19 is offline
 
Join Date: Apr 2005
Posts: 1,324
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default is this code safe from sql injections?

I am new to coding vbulletin so I don't know the functions as such.

PHP Code:
$vbulletin->input->clean_array_gpc('p', array(
    
'name' => TYPE_STR
    
'email' => TYPE_STR,
    
'text' => TYPE_NOHTML,
    
'testid' => TYPE_INT
     
));

     
$db->query_write("
    UPDATE " 
TABLE_PREFIX "testimonials SET
    name = '" 
$db->escape_string($vbulletin->GPC['name']) . "',
    email = '" 
$db->escape_string($vbulletin->GPC['email']) . "',
    text = '" 
$db->escape_string($vbulletin->GPC['text']) . "',
    WHERE testid = " 
$vbulletin->GPC['testid'] . "
    "
); 
Reply With Quote
  #2  
Old 10-21-2005, 03:36 AM
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Location: Germany
Posts: 6,863
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes it is safe from SQL injections.
However, you will get a compile error as there is a missing comma after the first TYPE_STR.
Furthermore, if you store data this way, you must make sure to run it through the parser or htmlspecialchars_uni() before displaying it - otherwise you open Cross Site Scripting (XSS) leaks.
If you don't need raw data in the table, you can store HTML safe strings by using data verification type TYPE_NOHTML instead.
Reply With Quote
  #3  
Old 10-21-2005, 03:55 AM
harmor19 harmor19 is offline
 
Join Date: Apr 2005
Posts: 1,324
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am getting a sql error

Here's the php
PHP Code:
$vbulletin->input->clean_array_gpc('p', array(
    
'name' => TYPE_STR,
    
'email' => TYPE_STR,
    
'text' => TYPE_STR,
    
'testid' => TYPE_INT
     
));

     
$db->query_write("
    UPDATE " 
TABLE_PREFIX "testimonials SET
    name = '" 
$db->escape_string($vbulletin->GPC['name']) . "',
    email = '" 
$db->escape_string($vbulletin->GPC['email']) . "',
    text = '" 
$db->escape_string($vbulletin->GPC['text']) . "',
    WHERE testid = " 
$vbulletin->GPC['testid'] . "
    "
); 
Here's the sql error
Code:
UPDATE testimonials SET
    name = 'erg4ewg',
    email = 'ewgwgew',
    text = 'gewgewrg <b>egeg</b>',
    WHERE testid = 1;

MySQL Error  : You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE testid = 1' at line 5
Error Number : 1064
Reply With Quote
  #4  
Old 10-21-2005, 04:01 AM
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Location: Germany
Posts: 6,863
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The last comma (before WHERE) is wrong.
Reply With Quote
  #5  
Old 10-21-2005, 04:06 AM
harmor19 harmor19 is offline
 
Join Date: Apr 2005
Posts: 1,324
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Wow I can't believe I missed that.

I think I'm done with the editing, do I give it to you to review or just re-upload the zip and send out an update?
Reply With Quote
  #6  
Old 10-21-2005, 06:17 AM
Alan @ CIT Alan @ CIT is offline
 
Join Date: Nov 2004
Location: South UK
Posts: 625
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just re-upload the zip and send out an update.
Reply With Quote
  #7  
Old 10-21-2005, 06:49 AM
harmor19 harmor19 is offline
 
Join Date: Apr 2005
Posts: 1,324
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you.

Please check it out https://vborg.vbsupport.ru/showthread.php?t=98906
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:46 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04824 seconds
  • Memory Usage 2,222KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (2)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete