handling my url Help
Moderator: General Moderators
handling my url Help
Hi there , I have a problem and i don't know if it affects site security or not
I Have an url address to my php page like this
http://localhost/learning/view_lessons.php?sub_id=1
the page works very well anyway but when i add / or %5c or backslashes
like this http://localhost/learning/view_lessons.php?sub_id=1\
I get errors
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\php1-7\www\learning\view_lessons.php on line 7
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\easyphp1-7\www\learning\view_lessons.php on line 175
also when adding %5C to my url like this
http://localhost/learning%5cview_lessons.php?sub_id=1
I will get no images in my page and no styles as well. everything will be a mess
so If a visitor to my page site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. or getting information from errors that will appear , . . . anyone has a solution to this ? Thx in advance
I Have an url address to my php page like this
http://localhost/learning/view_lessons.php?sub_id=1
the page works very well anyway but when i add / or %5c or backslashes
like this http://localhost/learning/view_lessons.php?sub_id=1\
I get errors
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\php1-7\www\learning\view_lessons.php on line 7
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\easyphp1-7\www\learning\view_lessons.php on line 175
also when adding %5C to my url like this
http://localhost/learning%5cview_lessons.php?sub_id=1
I will get no images in my page and no styles as well. everything will be a mess
so If a visitor to my page site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. or getting information from errors that will appear , . . . anyone has a solution to this ? Thx in advance
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
mysql_real_escape_string() anything before putting it in the querystring!
okay here's the code
it tells me that there's an error on the mysql_num_rows because the value of sub_id hasn't been posted due to invalid url characters , but when i remove the characters that i added to the url it works pretty , my problem is in when the visitors add the characters I mentioned above
Code: Select all
if (isset($_GET['sub_id'])){
$ss_id=$_GET['sub_id'];
$select=mysql_query("select * from subjects where id='$ss_id'");
$chapternumber=mysql_num_rows($select);
if ($chapternumber != 0)
{
while($field=mysql_fetch_array($select)){
$n = $field ['sub_name'];
}
}else {
$n= "Subject not found";
}- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Right. $ss_id needs to be escaped.
I would recommend that you look into using a DB class. You'll find it a lot easier to work with.
Code: Select all
$ss_id = mysql_real_escape_string($_GET['sub_id']);Thx very much man , it works now . but i still have something also related to url , it's when adding this %5C instead / slash in the url
http://localhost/learning[b]%5C[/b]view_lessons.php?sub_id=1
the result is
no error reports , it's ok now .
no images appear , no styles
Thx
http://localhost/learning[b]%5C[/b]view_lessons.php?sub_id=1
the result is
no error reports , it's ok now .
no images appear , no styles
Thx
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
thx , I made it absolute and everything is ok . but still having problems in filtering URL address as i told , I need something to filter or escape specific URL characters and prevent the mess caused by added characters to my url such as
I can escape these character if only it added to GET variables at the last of URL string using the function u gave to me (mysql_real_escape_string)
but , when added in this form
http://localhost/learning%5cview_lesson ... esson_id=2
(%5C represents backslash in URL encode table)
I will get no images and no styles , in addtion to this
when clicking any link in the page after adding these characters the URL will be
http://localhost/view_lessons.php?lesson_id=2 (Learning directory has gone from URL)
and I will get finally
This page cannot be displayed
HTTP 404 - File not found
I WANT A SOLUTION to get rid of these characters.
%2e%5c%2e%2e%5c%2e%2e%5c%2e
Character URL Encoded
Space %20
" %22
# %23
% %25
& %26
( %28
) %29
+ %2B
, %2C
/ %2F
: %3A
; %3B
< %3C
= %3D
> %3E
? %3F
@ %40
\ %5C
| %7C
THx in advance
I can escape these character if only it added to GET variables at the last of URL string using the function u gave to me (mysql_real_escape_string)
but , when added in this form
http://localhost/learning%5cview_lesson ... esson_id=2
(%5C represents backslash in URL encode table)
I will get no images and no styles , in addtion to this
when clicking any link in the page after adding these characters the URL will be
http://localhost/view_lessons.php?lesson_id=2 (Learning directory has gone from URL)
and I will get finally
This page cannot be displayed
HTTP 404 - File not found
I WANT A SOLUTION to get rid of these characters.
%2e%5c%2e%2e%5c%2e%2e%5c%2e
Character URL Encoded
Space %20
" %22
# %23
% %25
& %26
( %28
) %29
+ %2B
, %2C
/ %2F
: %3A
; %3B
< %3C
= %3D
> %3E
? %3F
@ %40
\ %5C
| %7C
THx in advance
Also, another fix for your original question, you could use the following:
For future reference, unless someone disagrees with the above way of handling the issue. You also might find the following code snipping taken from the function mysql_real_escape_string() in the manual for escaping data before an SQL query.
Once again, if anyone disagrees with the above snippet, please let me know! 
Code: Select all
if (isset($_GET['sub_id'])){
$ss_id=(int)$_GET['sub_id'];
$select=mysql_query("select * from subjects where id='$ss_id'");
$chapternumber=mysql_num_rows($select);
if ($chapternumber != 0)
{
while($field=mysql_fetch_array($select)){
$n = $field ['sub_name'];
}
}else {
$n= "Subject not found";
}Code: Select all
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}Thx for the help , really good work , All problems solved except one .
stripslashes(); or addslashes(); works but i need functions to replace or fix characters like that %5C , %26 all those characters corrupt the page and may used to bypass passwords . This issue also is very famous in ASP.net and has been sloved there , i need a solution in php
stripslashes(); or addslashes(); works but i need functions to replace or fix characters like that %5C , %26 all those characters corrupt the page and may used to bypass passwords . This issue also is very famous in ASP.net and has been sloved there , i need a solution in php