sql injection

Discussion in 'PHP' started by dean5000v, Feb 9, 2009.

0
  1. #1
    could someone help me fix the sql injection within this cart script, when you insert a ' into the cart it chuckes out a sql error at you and it doesn't go until you destroy your session. so im guessing it's the variables stored within the sessions that need to be sanitized i cnt find find them !!!!! here is the files 

    <?php 
	function showCart() {
	global $db;
	$cart = $_SESSION['cart'];
	if ($cart) {
		$items = explode(',',$cart);
		$contents = array();
		foreach ($items as $item) {
			$contents[$item] = (isset($contents[$item])) ? $contents[$item] + 1 : 1;
		}
		$output[] = '<form action="cart.php?action=update" method="post" id="cart">';
		$output[] = '';
		
		foreach ($contents as $id=>$qty) {
			$sql = 'SELECT * FROM cards WHERE id = '. $id;
			$result = mysql_query($sql);
			$row = mysql_fetch_assoc($result);
			extract($row);
			$output[] = 'Item: '.$title.'<br>';
			$output[] = 'Unit: &nbsp;&pound;'.$price.'<br>';
			$output[] = 'Quantity: <input type="text" name="qty'.$id.'" value="'.$qty.'" size="3" maxlength="3" /><br><br>';
			$output[] = 'Total &pound;'.($price * $qty).'';
			$total += $price * $qty;
			$output[] = '<br><a href="cart.php?action=delete&id='.$id.'" class="r">Remove</a> <br><br>';
		}
		$output[] = '';
		$output[] = '<p>Grand total: <strong>&pound;'.$total.'</strong></p>';
		$output[] = '<div><button type="submit">Update cart</button></div>';
		$output[] = '</form>';
	} else {
		$output[] = '<p>You shopping cart is empty.</p>';
	}
	return join('',$output);
}

function writeShoppingCart() {
	$cart = $_SESSION['cart'];
	if (!$cart) {
		return '<p>You have no items in your shopping cart</p>';
	} else {
		// Parse the cart session variable
		$items = explode(',',$cart);
		$s = (count($items) > 1) ? 's':'';
		return '<p>You have <a href="cart.php">'.count($items).' item'.$s.' in your shopping cart</a></p>';
	}
}

?>
    Code (markup):
    <?php
session_start();

include 'includes/connect.php';
include 'functions/shoppingcart_functions.php'; 

$cart = $_SESSION['cart'];
$action = $_GET['action'];
switch ($action) {
	case 'add':
		if ($cart) {
			$cart .= ','. mysql_real_escape_string($id);
		} else {
			$cart = mysql_real_escape_string($id);
		}
		break;
	case 'delete':
		if ($cart) {
			$items = explode(',',$cart);
			$newcart = '';
			foreach ($items as $item) {
				if (mysql_real_escape_string($_GET['id']) != $item) {
					if ($newcart != '') {
						$newcart .= ','.$item;
					} else {
						$newcart = $item;
					}
				}
			}
			$cart = $newcart;
		}
		break;
	case 'update':
	if ($cart) {
		$newcart = '';
		foreach ($_POST as $key=>$value) {
			if (stristr($key,'qty')) {
				$id = str_replace('qty','',$key);
				$items = ($newcart != '') ? explode(',',$newcart) : explode(',',$cart);
				$newcart = '';
				foreach ($items as $item) {
					if ($id != $item) {
						if ($newcart != '') {
							$newcart .= ','.$item;
						} else {
							$newcart = $item;
						}
					}
				}
				for ($i=1;$i<=$value;$i++) {
					if ($newcart != '') {
						$newcart .= ','.$id;
					} else {
						$newcart = $id;
					}
				}
			}
		}
	}
	$cart = $newcart;
	break;
}
$_SESSION['cart'] = $cart;

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title>PHP Shopping Cart Demo · Cart</title>
	<link rel="stylesheet" href="css/styles.css" />
</head>

<body>

<div id="shoppingcart">

<h1>Your Shopping Cart</h1>

<?php
echo writeShoppingCart();
?>

</div>

<div id="contents">

<h1>Please check quantities...</h1>

<?php

echo showCart();

?>

<p><a href="index.php">Back to your website...</a></p>

</div>

</body>
</html>
    Code (markup):
    <?php 
session_start();
include 'includes/connect.php'; 

function writeShoppingCart() {
	$cart = $_SESSION['cart'];
	if (!$cart) {
		return '<p>You have no items in your shopping cart</p>';
	} else {
		// Parse the cart session variable
		$items = explode(',',$cart);
		$s = (count($items) > 1) ? 's':'';
		return '<p>You have <a href="cart.php">'.count($items).' item'.$s.' in your shopping cart</a></p>';
	}
}

echo writeShoppingCart();
?> 

<?php
$sql = 'SELECT * FROM cards ORDER BY id';
$result = mysql_query($sql);

$output[] = '';

while ($row = mysql_fetch_assoc($result)) {
	$output[] = ''.$row['title'].' <br> Item code:'.$row['id'].'<br>Price: &pound;'.$row['price'].'<br /><a href="cart.php?action=add&id='.$row['id'].'">Add to cart</a><br><br>';
}
$output[] = '';
echo join('',$output);
?>
    Code (markup):
     
    dean5000v, Feb 9, 2009 IP
  2. tihan

    tihan Active Member

    Messages:
    64
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    93
    #2
    try replace ' in the variable before SQL query: $var = str_replace("'","",$var);
     
    tihan, Feb 11, 2009 IP
  3. Singhals

    Singhals Banned

    Messages:
    81
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    use $POST['variable']=(int)abs($POST['variable']);

    in all the posted numbers

    all will be solved.

    you can also use $var = str_replace("=","",$var); as many injections contain = sign.
     
    Singhals, Feb 12, 2009 IP
  4. SiteTalkZone

    SiteTalkZone Peon

    Messages:
    243
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #4 
    function dbin($string){
	  if (get_magic_quotes_gpc())
		  $string = stripslashes($string);
		// return mysql_real_escape_string($string);
		return mysql_escape_string($string);
	}
	function dbout($string, $multiline = false, $entities = true){
		if ($multiline){
			if ($entities){
				return nl2br(htmlentities(stripslashes($string)));
			}else{
				return nl2br(stripslashes($string));
			}
		}else{
			if ($entities){
				return htmlentities(stripslashes($string));
			}else{
				return stripslashes($string);
			}
		}
	}
    PHP:
     
    SiteTalkZone, Feb 12, 2009 IP