Alternate fix to injection code in comments

So, in another thread it was mentioned that the current fix may get the job done, its also filtering out good data. There must be some proper solution to handle incoming comment data securely. I thought I would start a discussion in regards to finding an alternate fix to the problem then the one currently available.

The problem: Users input data into comments that is executed and causes trouble.

Solution ideas: Escape incoming data so that it cannot execute? Allow only alphanumeric comment data and write the SQL statements so that they cannot be broken out?

I will be the first to admit I am not a professional coder, although I do write a lot of code myself. I haven't taken a long look at how the comments are currently handled, but plan to. Lets pool some ideas and help MrZeroPage come up with a more solid fix!

[Sarteck]

I do a few things.


First off, I almost ALWAYS use sprintf(). It's pretty awesome.

PHP Code:

sprintf("SELECT * FROM %suser WHERE userid=%d",TABLE_PREFIX,$userid); 


Bam, you'll always get an integer. Also, query looks hella prettier. :3

Two, why not use vBulletin's built-in cleaning functions on data? That would solve a lot of it, wouldn't it?

Mind you, I'm a complete newbie to the scripting of this modification in particular, but I have successfully programmed a bunch of homebrewed mods for my own. I just want a disclaimer here that I could be completely off-base. X3

[stangger5]

Starting with 2.7.1+

To fix that exploit was to edit one line..

PHP Code:

$ibforums->input['s_id'] = ibp_cleansql($ibforums->input['s_id']); 


change to

PHP Code:

$ibforums->input['s_id'] = intval($ibforums->input['s_id']); 


Quote:

Originally Posted by BirdOPrey5

Comment should be OK because of they way strings are put in the database. The problem was s_id was allowed to be a string when it was supposed to be an int, that is what allowed the exploit.

The ibp_cleansql function needs to be changed to accept a second argument that says what type of data it is (string or int) and clean it differently depending on what it is supposed to be.

vBulletin has built in cleaning functions too that can/should be used.

[Sarteck]

See? Perfect example of where sprintf() would be put to awesome use. Just use %d in your query and you're good to go.

[rpgamersnet]

Wait, so it wasn't the comments that were causing the problem, but the S_ID? My board personally was not hit by this exploit, so I did not have the details.

[Mark.B]

Quote:

Originally Posted by rpgamersnet

Wait, so it wasn't the comments that were causing the problem, but the S_ID? My board personally was not hit by this exploit, so I did not have the details.

I have a feeling that the code Stangger has posted was the fix for the exploit that was fixed in 2.7.1, rather than 2.7.2.

[stangger5]

Quote:

Originally Posted by Mark.B

I have a feeling that the code Stangger has posted was the fix for the exploit that was fixed in 2.7.1, rather than 2.7.2.

I didnt know anything about a exploit with 2.7.2..

[Mark.B]

Quote:

Originally Posted by stangger5

I didnt know anything about a exploit with 2.7.2..

No I meant FIXED in 2.7.2.

[Hippy]

the only thing needed is what stangger posted above..

--------------- Added [DATE]1330552106[/DATE] at [TIME]1330552106[/TIME] ---------------

Quote:

Originally Posted by Mark.B

I have a feeling that the code Stangger has posted was the fix for the exploit that was fixed in 2.7.1, rather than 2.7.2.

I didnt know anything about a exploit with 2.7.2.. either

[stangger5]

Quote:

Originally Posted by Mark.B

No I meant FIXED in 2.7.2.

Had me going ...lol...