Page 1 of 1

server blocking script - sql injection

Posted: Wed May 02, 2007 3:23 am
by mikeeeeeeey
Hi guys,

Having a bit of a problem getting this form to work. Its basically an adding page for a CMS, but depending on what sort of text you enter into one of the fields, it generates an SQL injection and this is blocked by the server, so I can't get the form to submit.

I've escaped just about everything, but I'm running out of ideas. It would be great if someone could point me in the direction of where I'm going wrong.

Here's my code:

Code: Select all

switch ($_POST['which'])
{
	case 'user':
		$sub_section = mysql_real_escape_string($_POST['newSubSection']);
	break;
	case 'preset':
		$sub_section = mysql_real_escape_string($_POST['search']);
	break;
}
$title   = mysql_real_escape_string($_POST['title']);
$summary = mysql_real_escape_string(nl2br($_POST['summary']));
$article = mysql_real_escape_string(nl2br($_POST['article']));
$cleanI  = mysql_real_escape_string($_FILES['image']['name']);
$image   = mysql_real_escape_string($_POST['s'] . "-" . $sub_section . "-" . $_FILES['image']['name']);
$orient  = mysql_real_escape_string($_POST['whichway']);
$date    = mysql_real_escape_string($_POST['date_year'] . $_POST['date_month'] . $_POST['date_day']);

$newCover = 0;
if ($_POST['submit'] == "add" && $title != NULL && $sub_section != NULL)
{

	$isCov = "SELECT * FROM " . mysql_real_escape_string($_POST['s']) . " WHERE cover = 1";
	$findCov = mysql_query($isCov);
	if (mysql_num_rows($findCov) == 1 && mysql_real_escape_string($_POST['isChecked']) == 1)
	{
		$blnkCov = "UPDATE " . mysql_real_escape_string($_POST['s']) . " SET cover=0 WHERE cover =1";
		$wipe = mysql_query($blnkCov);
		$newCover = 1;
	}
	else
	{
		$newCover = 0;	
	}
	

	if($_POST['s'] == "news"){
		$sql = "INSERT INTO " . mysql_real_escape_string($_POST['s']) . " (sub_section,title,date,summary,article,image,cover,oreintation) VALUES ('" . $sub_section . "','" . $title . "','" . $date . "','" . $summary . "','" . $article . "','";
		if($cleanI != NULL){
		  $sql .= $image;
		}
		$sql .= "','" . $cover . "','" . $orient . "')";
	}else{
		$sql = "INSERT INTO " . mysql_real_escape_string($_POST['s']) . " (sub_section,title,summary,article,image,cover,oreintation) VALUES ('" . $sub_section . "','" . $title . "','" . $summary . "','" . $article . "','";
		if($cleanI != NULL){
		  $sql .= $image;
		}
		$sql .= "','" . $cover . "','" . $orient . "')";
	}
	
	$query = mysql_query($sql);
	
	if ($cleanI != NULL)
	{
			move_uploaded_file($_FILES['image']['tmp_name'], "bg_images/" . $_POST['s'] . "/" . $image)
			or die("Could not copy " . $image . "<br/>");
	}
	
	if(mysql_affected_rows() == 1)
	{
		$link = "admin.php";
		echo "Success.<br/>The New Page entitled <strong>" . $title . "</strong> has been added to the section <strong>" . ucwords(str_replace("_"," ",$_POST['s'])) . "</strong>.";
		if ($newCover == 1)
		{
			echo "<br/>This item is also the new <strong>cover page</strong>.";
		}
		echo "<br/><br/><br/><a class=\"box\" href=\"admin.php?s=" . $_POST['s'] . "\"><img src=\"images/submit.jpg\" alt=\"proceed\" border=\"0\" /></a>";
	}
	else
	{
		echo "The database has not been updated.";
	}
}
Thanks in advance guys.

Posted: Wed May 02, 2007 7:17 am
by feyd
I'm going to guess it hates $_POST['s']?

Posted: Wed May 02, 2007 10:55 am
by mikeeeeeeey
yupppp got it in one chief.

you think if I just make vars out of the SGA's (POST, GET etc.) it will like me better? :D

Posted: Wed May 02, 2007 11:15 am
by feyd
Not in the slightest. Why are you accepting user submitted information to choose the table, directly?

Posted: Wed May 02, 2007 11:22 am
by mikeeeeeeey
Its not user submitted information, it's a var that comes from the URL telling the page which table to update.
Obviously this var has such a limited scope in order to use it once the form has been submitted I need to store it somewhere (in hidden fields).

I'm starting to notice that this probably isn't the best way to do this?

Posted: Wed May 02, 2007 11:24 am
by feyd
Considering it is $_POST['s'], that denotes that it came from a form submission. This form submission is entirely user controlled, and therefore a user can choose to insert data into any table they wish that the user you are logging into the database can insert records into. .. Be very careful.

Posted: Wed May 02, 2007 11:31 am
by mikeeeeeeey
ahhhhh right.
that is rather silly, I should probably fix this.

the only problem is...where do I store this? in a session? hmm....
I shall try the session.

unless you have any other suggestions, thanks feyd. you're like my fairy code-mother :D