1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to prevent SQL Injection via the array parameter? (CVE-2017-14069)

Discussion in 'Site & Server Administration' started by postcd, Oct 13, 2020.

  1. #1
    Hello, this page suggest that the sql_query

    $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST[usernw]) . ")")or sqlerr(__FILE__, __LINE__);
    Code (SQL):
    is vulnerable to a SQL injection "via the usernw array parameter to nowarn.php."
    SEMrush
    and the exploit is suggested:

    POST nowarned=nowarned&usernw[]=(select*from(select sleep(10))x)
    Code (markup):
    Please how that sql_query should look like so it prevent the abuse?
     
    postcd, Oct 13, 2020 IP
    SEMrush
  2. JEET

    JEET Notable Member

    Messages:
    3,578
    Likes Received:
    450
    Best Answers:
    18
    Trophy Points:
    235
    #2
    I am thinking that "id" field will be a numeric field.

    So instead of doing an implode inside the query itself, do a check before sending the data to the query, something like:

    $d= $_POST['usernw'];
    if( is_array($d) ){

    foreach($d as $k=> $kk){
    if( !is_numeric($kk) ){ unset( $d[$k] ); }
    }

    if( sizeof($d)>0 ){

    $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $d) . ")") or sqlerr(__FILE__, __LINE__);

    }//$d is empty after checks

    }//POST is not array
     
    JEET, Oct 14, 2020 IP
  3. postcd

    postcd Well-Known Member

    Messages:
    1,015
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    190
    #3
    Thank you, i have found one person would do it like this, turn:
    $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST[usernw]) . ")")or sqlerr(__FILE__, __LINE__);
    into:
    $r = sql_query("SELECT modcomment FROM users WHERE id IN (" . sqlesc(implode(", ", $_POST[usernw]) ). ")")or sqlerr(__FILE__, __LINE__);

    that seems more simple than @JEET way.. feedback is welcome
     
    postcd, Oct 15, 2020 IP
    JEET likes this.