SQL Injection Question
Posted: Thu Jun 21, 2007 7:50 pm
Well I have this piece of code which grabs some data from the database. However I managed to figure out how to use an SQL Injection to display all the users password hashes which is no good...
Lets assume the file is called members.php. By accessing members.php?n=<sql injection here> it will inject the sql query and display the hashes.
$n is a variable defined in config.php and this script does not use any GET variables where $n can be altered. $n is simply a number denoting how many installs of the software are in the same database, it is essentially used to define the proper table prefix as you can see in the code.
My main question is WHY does this work. Also any advise on how to fix it is also appreciated.
Just as a side note, this file does not include config.php directly. Rather it includes functions_common.php which includes config.php which contains the value of $n
Lets assume the file is called members.php. By accessing members.php?n=<sql injection here> it will inject the sql query and display the hashes.
$n is a variable defined in config.php and this script does not use any GET variables where $n can be altered. $n is simply a number denoting how many installs of the software are in the same database, it is essentially used to define the proper table prefix as you can see in the code.
My main question is WHY does this work. Also any advise on how to fix it is also appreciated.
Code: Select all
<?php
$c_xroot = "./../";
include ($c_xroot . "modname.php");
$onlinetime = 10;
$include = 0;
if( !defined ("c_COMMON_INCLUDED") ) {
$c_root = $c_xroot;
require_once ( $c_root . "includes/functions_common.php" );
}
if ( $include == 1 ) {
include_once ( $c_root . "_header.php" );
}
if(!defined("c_LAST_ACTIVITY") && $whoisonline == 1 && !empty($GPC['cid'])) {
define("c_LAST_ACTIVITY", 1);
$cdb->query("UPDATE c".$n."_member SET lastactivity = '".time()."' WHERE memberid = '".$GPC['cid']."'");
}
?>
<table border="0" cellpadding="0" cellspacing="0" align="center">
<tr>
<td align="center" colspan="2"><b>Activities in the last <?php echo $onlinetime; ?> minutes</b></td>
</tr>
<?php
$query = $cdb->query("
SELECT memberid, name, lastactivity
FROM c".$n."_member WHERE lastactivity > ".(time() - $onlinetime * 60)."
");
if ($cdb->num_rows($query) == 0)
{
?>
<tr>
<td align="center" width="100%">Nobody online right now</td>
</tr>
<?php
}
else {
while ($row = $cdb->fetch_array($query)) {
dbSelect ($row);
?>
<tr>
<td align="left" width="70%">» <a href="modules.php?name=<?php echo $cmod; ?>&file=member&action=profile&memberid=<?php echo $row['memberid']; ?>"><?php echo $row['name']; ?></a></td>
<td align="right" width="30%"><?php echo date("H:i",$row['lastactivity']); ?></td>
</tr>
<?php
}
}
$cdb->free_result($query);
?>
</table>
<?php
if ( $include == 1 ) {
include_once ( $c_root . "_footer.php" );
}
?>