server blocking script - sql injection
Posted: Wed May 02, 2007 3:23 am
Hi guys,
Having a bit of a problem getting this form to work. Its basically an adding page for a CMS, but depending on what sort of text you enter into one of the fields, it generates an SQL injection and this is blocked by the server, so I can't get the form to submit.
I've escaped just about everything, but I'm running out of ideas. It would be great if someone could point me in the direction of where I'm going wrong.
Here's my code:
Thanks in advance guys.
Having a bit of a problem getting this form to work. Its basically an adding page for a CMS, but depending on what sort of text you enter into one of the fields, it generates an SQL injection and this is blocked by the server, so I can't get the form to submit.
I've escaped just about everything, but I'm running out of ideas. It would be great if someone could point me in the direction of where I'm going wrong.
Here's my code:
Code: Select all
switch ($_POST['which'])
{
case 'user':
$sub_section = mysql_real_escape_string($_POST['newSubSection']);
break;
case 'preset':
$sub_section = mysql_real_escape_string($_POST['search']);
break;
}
$title = mysql_real_escape_string($_POST['title']);
$summary = mysql_real_escape_string(nl2br($_POST['summary']));
$article = mysql_real_escape_string(nl2br($_POST['article']));
$cleanI = mysql_real_escape_string($_FILES['image']['name']);
$image = mysql_real_escape_string($_POST['s'] . "-" . $sub_section . "-" . $_FILES['image']['name']);
$orient = mysql_real_escape_string($_POST['whichway']);
$date = mysql_real_escape_string($_POST['date_year'] . $_POST['date_month'] . $_POST['date_day']);
$newCover = 0;
if ($_POST['submit'] == "add" && $title != NULL && $sub_section != NULL)
{
$isCov = "SELECT * FROM " . mysql_real_escape_string($_POST['s']) . " WHERE cover = 1";
$findCov = mysql_query($isCov);
if (mysql_num_rows($findCov) == 1 && mysql_real_escape_string($_POST['isChecked']) == 1)
{
$blnkCov = "UPDATE " . mysql_real_escape_string($_POST['s']) . " SET cover=0 WHERE cover =1";
$wipe = mysql_query($blnkCov);
$newCover = 1;
}
else
{
$newCover = 0;
}
if($_POST['s'] == "news"){
$sql = "INSERT INTO " . mysql_real_escape_string($_POST['s']) . " (sub_section,title,date,summary,article,image,cover,oreintation) VALUES ('" . $sub_section . "','" . $title . "','" . $date . "','" . $summary . "','" . $article . "','";
if($cleanI != NULL){
$sql .= $image;
}
$sql .= "','" . $cover . "','" . $orient . "')";
}else{
$sql = "INSERT INTO " . mysql_real_escape_string($_POST['s']) . " (sub_section,title,summary,article,image,cover,oreintation) VALUES ('" . $sub_section . "','" . $title . "','" . $summary . "','" . $article . "','";
if($cleanI != NULL){
$sql .= $image;
}
$sql .= "','" . $cover . "','" . $orient . "')";
}
$query = mysql_query($sql);
if ($cleanI != NULL)
{
move_uploaded_file($_FILES['image']['tmp_name'], "bg_images/" . $_POST['s'] . "/" . $image)
or die("Could not copy " . $image . "<br/>");
}
if(mysql_affected_rows() == 1)
{
$link = "admin.php";
echo "Success.<br/>The New Page entitled <strong>" . $title . "</strong> has been added to the section <strong>" . ucwords(str_replace("_"," ",$_POST['s'])) . "</strong>.";
if ($newCover == 1)
{
echo "<br/>This item is also the new <strong>cover page</strong>.";
}
echo "<br/><br/><br/><a class=\"box\" href=\"admin.php?s=" . $_POST['s'] . "\"><img src=\"images/submit.jpg\" alt=\"proceed\" border=\"0\" /></a>";
}
else
{
echo "The database has not been updated.";
}
}