need help fixing sql injection problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • need help fixing sql injection problem

    hello everyone back with another problem

    so i was using ezsql for parsing my database queries but found it is hack able pretty easily because it doesn't use prepared statements

    here is demo code which give problems
    PHP Code:

    $message 
    =  isset($_POST['message']) ? $db->escape($_POST['message']) : "";

    $db->query(insert message into database); 
    HTML Code:
    <form>
    <textarea name="message"></textarea>
    <button>submit</button>
    </form>
    so if is type in text area

    HTML Code:
    <script>alert('hacked');</script>
    it shows alert in browser also query is inserted in database

    now it is fixable with pdo or mysqli prepared statements but i have some other questions

    prepared statements are good for query update or delete stuff but when using count(*) its quite useless because have to count all rows after query every row from database

    can anybody guide me what im doing wrong here ??

    first i used that database class and i know real_escape_string is useless

    second i want to use prepared statements but they are overloading for some stuff

    what is good way to sanitize _POST data before inserting it into database ??

  • #2
    This ought to do the trick $db->mysqli_real_escape_sting($_POST['message']). Suppose to work fine if you're using php version 7.

    Comment


    • #3
      i will check my script again to see if real escape string fixes the problem because ezsql escape function also does escape but it is not working quite well maybe i will go pure mysqli instead of custom class

      Comment


      • #4
        mysql_real_escape_string ( ) and mysqli_real_escape_string ( ) etc... All require a default character set to work correctly. eg: UTF8
        They also do not escape html characters like htmlspecialchars ( ) .

        Comment


        • #5
          yea dont know why i trusted it lol before i used to secure it with custom function but i think i forgot to fix it before putting live
          but got good lession never leave stuff to fix it later better fix it now than wasting time later

          Comment

          Working...
          X