Hello, this page suggest that the sql_query $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST[usernw]) . ")")or sqlerr(__FILE__, __LINE__); Code (SQL): is vulnerable to a SQL injection "via the usernw array parameter to nowarn.php." and the exploit is suggested: POST nowarned=nowarned&usernw[]=(select*from(select sleep(10))x) Code (markup): Please how that sql_query should look like so it prevent the abuse?
I am thinking that "id" field will be a numeric field. So instead of doing an implode inside the query itself, do a check before sending the data to the query, something like: $d= $_POST['usernw']; if( is_array($d) ){ foreach($d as $k=> $kk){ if( !is_numeric($kk) ){ unset( $d[$k] ); } } if( sizeof($d)>0 ){ $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $d) . ")") or sqlerr(__FILE__, __LINE__); }//$d is empty after checks }//POST is not array
Thank you, i have found one person would do it like this, turn: $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST[usernw]) . ")")or sqlerr(__FILE__, __LINE__); into: $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . sqlesc(implode(", ", $_POST[usernw]) ). ")")or sqlerr(__FILE__, __LINE__); that seems more simple than @JEET way.. feedback is welcome