Very Big Sql Injection Hole

aghhh! injection? in a premium modification? >.<
Example:
Warn.php?&do=ViewWarnings&id=1/

Input isnt escaped before being put into the sql query. Seriously, what the ****. A premium modification that doesn't even check the input

I made a Fix:
open warn.php

find:

Code:

// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

Below that insert:

Code:

//SQL-safe modification
function safescape($key,&$value){
$value = mysql_escape_string($value);
}
$func = 'safescape';
array_walk(&$_GET,$func);
array_walk(&$_POST,$func);
//SQL safety mod done

[sirbutts]

Quote:

Originally Posted by sv1cec

Pimpery, not all of us have extreme experience in SQL or php or the works. From the example you show, I can assume two things :

1. The problems is that anyone can see the admin's warnings.
2. The slash at the end may allow hackers to insert code (for this I am not sure, but having spend some time reading articles I got containing the "SQL injection" phrase here, that's what I assume.

I am going to spend some more time today, figuring out this whole issue, but what I fail to understand is the function you provided.

So, please, instead of just posting a warning thread, saying VERY BIG HOLE WOLF, WOLF, you could spend some minutes helping me out understand how to close the hole and how to use that code. As I said, not all of us were born with that knowledge.

Rgds

pimpery did post an explanation on how to patch it. goto the first post blindy :nervous:
and how did he say WOLF WOLF....just because you cant code doesnt mean you have to take it out on him. He did explain why there's a big hole in the first post as well.

Code:

Input isnt escaped before being put into the sql query. Seriously, what the ****. A premium modification that doesn't even check the input

[j_86]

sirbutts;

Please recreate a simmilar warning system with more features than this one and then i'm sure the majority of the users here will consider reading what you posted

[pimpery]

sirbutts, thank you for backing me up. and, nubster, not everyone has a ++++load of time. and amount of time you spend on something, doesn't make you a better coder. he could suck but have a lot of time to do this kind of stuff.

[sv1cec]

Quote:

Originally Posted by pimpery

sirbutts, thank you for backing me up. and, nubster, not everyone has a ++++load of time. and amount of time you spend on something, doesn't make you a better coder. he could suck but have a lot of time to do this kind of stuff.

Sirbutts and pimpery,

I may be speaking to the expert programmers on php and vBulletin, so apologies if my hack was not up to your level. As far as I remember, in the original hack's thread, I clearly said that I am no expert (like you two). Has it occured to you that this thread was the first time I heard the expression "SQL Injection"?

And in my answer to Pimpery, I asked specific questions. Pimpery provided a function, with no instructions on how to use it. Am I suppose to guess or to take the advise of experts? He did posted this thread, and I asked a question. He didn't bother answering, instead Soup jumped in and provided some explanation. Shall I consider Pimpery's attitude as "the arrogance of the experts"?

And yes Pimpery, I have a ****load of time in my hands. With two sites to maintain, two 3 year old kids to take care of, and a family of 5. You are right, the amount of time you invest in something doesn't make you a better coder, as much as the amount of time you live on this earth doesn't make you a better person, but some times it polishes your skills. I sincerely hope you are very very young.

In any case, the hole is closed, so that's history.