I am getting SQL & URL injection vulnerabilities when I scan my website. This is the code I'm using:
if(isset($_GET["id"]))
{
if(!is_int($_GET["id"]) ==FALSE)
{
//redirect this person back to homepage
} else {
$sql = "SELECT * FROM workshop WHERE id=".trim($_GET['id']);
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);
$id = $row['id'];
$prod_name = $row['prod_name'];
$description = $row['description'];
$image1 = $row['image1'];
$image2 = $row['image2'];
$image3 = $row['image3'];
$pdfFileName = $row['pdfFileName'];
$publish = $row['publish'];
$workshop_date = $row['workshop_date'];
$workshop_date_end = $row['workshop_date_end'];
$course_desc = $row['course_desc'];
$attend = $row['attend'];
$trainer_detail = $row['trainer_detail'];
$location = $row['location'];
$dateValue = $row['workshop_date'];
$year = date('Y',strtotime($dateValue));
$month = date('F',strtotime($dateValue));
$day = date('d',strtotime($dateValue));
$dateValue1 = $row['workshop_date_end'];
$year1 = date('Y',strtotime($dateValue1));
$month1 = date('F',strtotime($dateValue1));
$day1 = date('d',strtotime($dateValue1));
}
}
How do I fix it?
The SQL injection problem is in this row:
$sql = "SELECT * FROM workshop WHERE id=".trim($_GET['id']);
You're applying the value from get directly into your query without escaping it.
Do this instead:
$id = mysql_real_escape_string(trim($_GET['id']));
$sql = "SELECT * FROM workshop WHERE id=$id";
Remember that you're using deprecated mysql_* functions, mysqli_* should be used instead. Consider updating your code.
Related
This is my PHP file. I can't select the deadline from fyp1 where fyp1.code = $tcode (that is the input that we put). Please help.
<?php
include('inc/db.php');
if (isset($_POST['submit'])) {
$tcode = $_POST['tcode'];
$idno = $_POST['idno'];
$sname = $_POST['sname'];
$datesub = date("Y-m-d");
$sql = "SELECT * FROM fyp1";
$select = mysql_query($sql,"SELECT deadline from fyp1 where fyp1.code = '$tcode'");
$name = $_FILES['file']['name'];
$tmp_name = $_FILES['file']['tmp_name'];
if ($name && $tcode){
$Location = "S.File/$name";
move_uploaded_file($tmp_name, $Location);
$query = mysql_query("INSERT INTO submission (taskcode,idno,name,file,time,dead) VALUES ('$tcode','$idno','$sname','$name','$datesub','$select')");
header('Location:DisplayNews.php');
}else
die("Please select a file");
}
?>
Please take a look at the php devdocs!
mixed mysql_query ( string $query [, resource $link_identifier = NULL ] )
You have to remove the following lines...
$sql = "SELECT * FROM fyp1";
$select = mysql_query($sql,"SELECT deadline from fyp1 where fyp1.code = '$tcode'");
and replace them with a valid call:
$sql = "SELECT deadline ".
"FROM fyp1 ".
"WHERE code = '".mysql_real_escape_string($tcode)."' ");
Please never insert $_POST variables directly in SQL statements for security reasons!
I am currently working on this project. Data can be retrieved from database with this code, if certificateNumber is numeric, but it does not search person if certificateNumber field has alphanumeric data.
Where am I wrong with this?
<?php
$flag = 0;
$reg=$_REQUEST["cerf"];
echo ($reg);
$con = mysqli_connect('localhost','neoncom_db','12345','neoncom_std');
$qur = 'select * from student where certificateNumber = '.$reg;
$check = mysqli_query($con,$qur);
while($row=mysqli_fetch_array($check))
{
if($reg==$row["certificateNumber"])
{
$flag++;
$first = $row["first"];
$last=$row["last"];
$num = $row["certificateNumber"];
$name = $first ." ".$last;
$course = $row["course"];
$date = $row["signupDate"];
echo($row["certificateNumber"]);
echo($row["first"]);
echo($row["last"]);
}
}
if(count==0)
{
echo("NOT FOUND");
}
?>
You need to encapsulate $reg in quotes. So your query string $qur should be like this:
$qur = "select * from student where certificateNumber = '" . $reg . "'";
Sidenote: Learn about prepared statement because right now your query is susceptible to SQL injection attack. Also see how you can prevent SQL injection in PHP.
My first page is owner details then I send id and show owner wise driver in driver details page if I select particular driver and show information in third page for select driver. In this page selected driver information show currently but when I perform update query so data not updated what I do. My problem is that show and update in same page and how to pass id of select item
<?php
include("config.php");
$d_idd = $_GET['d_id'];
$_SESSION['d_id'] = $d_idd;
$d_id = $_SESSION['d_id'];
//print_r("select * from tbl_multiple_driver where Id = '$d_id'");
die();
$driverUpdate = sqlsrv_query($conn,"select * from tbl_multiple_driver where Id = '$d_id'");
while($driverdetails = sqlsrv_fetch_array($driverUpdate)){
$id = $driverdetails['Id'];
$name = $driverdetails['driver_name'];
$mobile = $driverdetails['driver_mobile'];
$dob = $driverdetails['driver_birth_date'];
$address = $driverdetails['driver_address'];
$location = $driverdetails['location'];
$city = $driverdetails['city'];
$pincode = $driverdetails['driver_pincode'];
$pick_up_area = $driverdetails['PickUp_Area'];
$vehicle_no = $driverdetails['vehicle_reg_no'];
$vehicle_company = $driverdetails['V_id'];
$vehicle_module = $driverdetails['V_id'];
$user_name = $driverdetails['username'];
$reg_date = $driverdetails['reg_date'];
$vehicle = "SELECT * FROM Vehicle where id = '$vehicle_company'";
$vehicleDisplay = sqlsrv_query($conn,$vehicle);
while($vehicleDetails = sqlsrv_fetch_array($vehicleDisplay)){
$vehicleModel = $vehicleDetails['Vehicle_Model_id'];
}
$vehicleMod = "SELECT * FROM Vehicle_Modle where id = '$vehicleModel'";
$vehicleModDisplay = sqlsrv_query($conn,$vehicleMod);
while($vehicleModDetails = sqlsrv_fetch_array($vehicleModDisplay)){
$vehicleId = $vehicleModDetails['vehicle_id'];
$vehicleModName = $vehicleModDetails['vehicle_modle_Name'];
}
$Mainvehicle = "SELECT * FROM MainVehicle where id = '$vehicleId'";
$mainvehicleDisplay = sqlsrv_query($conn,$Mainvehicle);
while($mainvehicleDetails = sqlsrv_fetch_array($mainvehicleDisplay)){
$vehiclename = $mainvehicleDetails['vehicle_company'];
}
}
?>
<?php
if(isset($_POST['btnUpdate'])){
//$id = $_POST['Id'];
$dName = $_POST['txtDriverName'];
$dMobile = $_POST['txtMobileNumber'];
$dDob = $_POST['txtDob'];
$dAddress = $_POST['txtDriverAddress'];
$dLocation = $_POST['Location'];
$dCity = $_POST['city'];
$dPincode = $_POST['pincode'];
$dPickUp = $_POST['txtPickup'];
$dVehicleNo = $_POST['txtVehicleNo'];
//print_r("update tbl_multiple_driver set driver_name = '$dName',driver_mobile='$dMobile',driver_birth_date='$dDob',driver_address='$dAddress',location='$dLocation', city='$dCity',driver_pincode='$dPincode',PickUp_Area='$dPickUp', vehicle_reg_no='$dVehicleNo' where Id= '$id' "); die();
$driver_update = "update tbl_multiple_driver set driver_name = '$dName',driver_mobile='$dMobile',driver_birth_date='$dDob',driver_address='$dAddress',location='$dLocation', city='$dCity',driver_pincode='$dPincode',PickUp_Area='$dPickUp', vehicle_reg_no='$dVehicleNo' where Id= '$id' ";
$res = sqlsrv_query($conn,$driver_update);
if($res){
echo '<script language="javascript">';
echo 'window.location.href = Details.php';
echo '</script>';
}
// header('location:Details.php');
}
?>
On user select you have to pass id again and then update info on base of this id:
$driver_update = "update tbl_multiple_driver set driver_name = '$dName',
driver_mobile='$dMobile',driver_birth_date='$dDob',driver_address='$dAddress',
location='$dLocation', city='$dCity',driver_pincode='$dPincode',
PickUp_Area='$dPickUp', vehicle_reg_no='$dVehicleNo' where Id='".$isession['d_id']."' ";
At the moment this code updates the user info in MYSQLTABLE1. What I also want done is user info to be copied to WMYSQLTABLE which I can do but I also want a code from MYSQLTABLE2 to be copied over into a column in WMYSQLTABLE as well. Here is the part I need changing:
$sql_insert2 = "INSERT INTO ".WMYSQLTABLE2."(ip,date,address)values
('','$ip','$date','$address')";
$res_insert2 = mysql_query($sql_insert2)or die(mysql_error());
//Need to also insert code from first row from column named 'codes' in MYSQLTABLE2.
Actual code, it's a bit messy at the moment and the if/else statements do the exact same at the moment. It works but I get the error " Column count doesn't match value count at row 1" because I cannot fill the last column with the code from MYSQLTABLE2.
<?php
include("includes/config.php");
include("includes/mysql.php");
include("amount.php");
if(isset($_POST['func']))
{
$address = $_POST['address'];
$ip = $_POST['ip'];
$date = $_POST['date'];
$time = $_POST['time'];
$price = $_POST['price'];
$increment = $_POST['increment'];
$id = $_POST['id'];
$num = 0;
$sql_check_address = "SELECT * FROM ".MYSQLTABLE1." WHERE address='$address'";
$res_check_address = mysql_query($sql_check_address)or die(mysql_error());
$num = mysql_num_rows($res_check_address);
$row = mysql_fetch_assoc($res_check_address);
if($num > 0)
{
$address = $row['address'];
$ip = $row['ip'];
$date = $row['date'];
$oldprice = $row['price'];
$id = $row['id'];
$newprice = $oldprice - $payAmount*200;
$newinc = $increment - 200;
$sql_update1 = "UPDATE ".MYSQLTABLE1." SET ip='$ip',date='$date',price='$newprice',increment='$newinc',address='$address' WHERE id='$id'";
$res_update1 = mysql_query($sql_update1)or die(mysql_error());
/////////////////Insert user info and copy code from MYSQLTABLE2 to WMYSQLTABLE2
$sql_insert2 = "INSERT INTO ".WMYSQLTABLE2."(ip,date,address)values
('','$ip','$date','$address')";
$res_insert2 = mysql_query($sql_insert2)or die(mysql_error());
}
else{
$address = $row['address'];
$ip = $row['ip'];
$date = $row['date'];
$oldprice = $row['price'];
$id = $row['id'];
$newprice = $oldprice - $payAmount*200;
$newinc = $increment - 200;
$sql_update = "UPDATE ".MYSQLTABLE1." SET ip='$ip',date='$date',price='$newprice',increment='$newinc',address='$address' WHERE id='$id'";
$res_update = mysql_query($sql_update)or die(mysql_error());
/////////////////Insert user info and copy code from MYSQLTABLE2 to WMYSQLTABLE2
$sql_insert2 = "INSERT INTO ".WMYSQLTABLE2."(ip,date,address)values
('','$ip','$date','$address')";
$res_insert2 = mysql_query($sql_insert2)or die(mysql_error());
e
}
}
Any help will be greatly appreciated.
The general form of the query would be:
$sql_insert = "INSERT INTO " . WMYSQLTABLE2 . "(code, ip, date, address)
SELECT code, '$ip', '$date', '$address'
FROM OtherTable
WHERE <put something here to select the row>";
I'm building a website to learn PHP and have just built a membership app.
Here's my code to get the user cookies that I set when the user logs in, then take the business id they are associated with, called biz and look up all the details for the business with the id equal to biz, in the table named company: (btw, I know I'm using mysql but when I finalize my app, I'll switch to PDO or mysqli)
<?
$auth = $_COOKIE["auth"];
if ($auth != "1"){
header("Location: ./signin.php");
}
//Grab all the cookies
$firstname = $_COOKIE['firstname'];
$id = $_COOKIE['id'];
$fname = ucwords($_COOKIE['firstname']);
$lname = ucwords($_COOKIE['lastname']);
$email = $_COOKIE['email'];
$city = ucwords($_COOKIE['city']);
$biz = $_COOKIE['biz'];
if(!empty($biz)){
$donthaveabizyet = "false";
}
else{
include("./config.php");
$result = mysql_query("SELECT * FROM company WHERE id = '$biz'") or mysql_error();
while($row = mysql_fetch_array($result))
{
$business_name = $row['name'];
$business_phone = $row['phone'];
$business_website = $row['website'];
$business_phone = $row['phone'];
$business_cat1 = $row['cat1'];
$business_cat2 = $row['cat2'];
$business_cat3 = $row['cat3'];
$business_subcat1 = $row['subcat1'];
$business_subcat2 = $row['subcat2'];
$business_subcat3 = $row['subcat3'];
$business_email = $row['email'];
$business_product1 = $row['product1'];
$business_product2 = $row['product2'];
$business_product3 = $row['product3'];
$business_product4 = $row['product4'];
$business_product5 = $row['product5'];
$business_product6 = $row['product6'];
$business_product7 = $row['product7'];
$business_noaddress = $row['noaddress'];
$business_address = $row['address'];
$business_address2 = $row['address2'];
$business_zipcode = $row['zipcode'];
$business_city = $row['city'];
}
$result = mysql_query("SELECT * FROM company_secondary WHERE company_id = '$biz'") or mysql_error();
while($row = mysql_fetch_array($result))
{
$business_description = $row['company_description'];
$business_since = $row['phone'];
$business_logo = $row['logo'];
$business_since = $row['since'];
$business_smoking = $row['smoking'];
$business_delivery = $row['delivery'];
$business_alcohol = $row['alcohol'];
$business_kids = $row['kids'];
$business_wheelchair = $row['wheelchair'];
$business_twitter = $row['twitter'];
$business_facebook = $row['facebook'];
$business_youtube = $row['youtube'];
$business_creditcards = $row['creditcards'];
$business_outdoor = $row['outdoor'];
$business_featured = $row['featured'];
}
}
?>
Now I show a link to claim.php if the user's business id is equal to 0, or if the user's business id is set, I show the name of the business.
<?php
if($donthaveabizyet != "false")
{
echo "<br/><br/>You haven't claimed a business yet. <a href='claim.php'>Click here to claim one now.</a>";
}
else
{
echo $business_name;
}
?>
Unfortunately, $business_name isn't displaying, and the error is Notice: Undefined variable: business_name. Why is business_name not set?
Big thanks for all help!!
while($row = mysql_fetch_array($result))
{
is causing your problem. Change it to
while($row = mysql_fetch_assoc($result))
{
This is because fetch_array creates an array with numeric indexes ($array[1], $array[2], etc.). fetch_assoc makes the indexes the same as the column names ($array['this'], $array['that'], etc.)