SQLi prevention is not working
Posted: Sat Oct 24, 2009 9:19 am
Hello gurus i have come into a security problem i believe with preventing people from useing SQL injection on my site. When an ID is generatated i use a piece of code to clean the data to prevent things such as "ID='1". This has worked on all my other pages except one which is where i need your help, here is the code.
Now from what i understand from injection little kids will use
the error message is:
I can understand why the error message is there but i thought my code would prevent it. Is this a real exploit or am i being over sensitive?
Code: Select all
<?php
# connect to the database
mysql_connect('7-----1','-------','---------');
mysql_select_db('-----------');
session_start();
$my_id = trim (' ' . @$_GET['ID']) ; // will always return a result -- uses '
// sanitize/ clean data value: check for integer value, generate the corresponding string
if ('' < $my_id) { $my_id= (int) $my_id; // extract integer value -- uses '
if ( 0 == $my_id) { $my_id= ''; //handle as empty -- uses '
} else $my_id = "$my_id"; // uses "
}
if ('' == $my_id) { //handle the case where no ?ID= present
} else { //we have a ID=some integer >0
$result = mysql_query("SELECT * FROM `fulldata` WHERE job_id = '$my_id'") // This will return one result
or die(mysql_error());
}
if(mysql_num_rows($result) == 1) { // Checks only 1 row was returned
$row = mysql_fetch_array($result);
?>
to get an exploitation and recieve an error message which is what happens when typed "jobinfo.php?ID='1"'
the error message is:
Code: Select all
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/fhlinux130/m/mysite.com/user/htdocs/jobinfo.php on line 29