14 posts
  • 2 Years of Membership
  • Collector Level 4
  • Exclusive Author
  • United States
ameero
says

I know this is not the best place to ask for help, but I’m trying to find any possible solutions.

I recentally asked a freelancer to create a script for me. However this guy has no knowledge of protection.

I have an issue where there is a php page pulling catagories from the database.

there is only one sql qurey ( a select query ) how ever the catagories will be like this in a url www.yourdomain.com/catgories.php?catgid=2

I recentally found a blind sql injection and post header attack as a threats in this page. I found them using web valunrbles scanner.

I added a mysql real esacpe string to sop meliciouse injects but that seems not helping.

when i do this for example www.domain.com/catgries.php?catgid=2(and add here anything) an error message appear on screen saying expcected paramter to be etc.

Well may be there is an experianced developers here that can help me so please if you know what I mean try to help me.

note: ive been searching all over and found out how to use mysqli and real escape string. but couldnt use PDO because each time i try to connect to database using pdo it never gets connected. I dont know why.

also id=melicous code i dont know if the solution is in the query but maybe some other thing.

thanks

202 posts
  • Exclusive Author
  • Affiliate Level 1
  • Author Level 3
  • Collector Level 1
+3 more
ArashFarivar
says

I think, the ‘catgid’ must be a number. If so, you can check it at the first to see if it’s a number. If not, die() or redirect somewhere else. :)

14 posts
  • 2 Years of Membership
  • Collector Level 4
  • Exclusive Author
  • United States
ameero
says

what is the exact code to do this ?

i only have little knowledge of this :)

202 posts
  • Exclusive Author
  • Affiliate Level 1
  • Author Level 3
  • Collector Level 1
+3 more
ArashFarivar
says

Well, I myself have used this:

// If the ‘catgid’ is not in the url. (for example “www.domain.com/catgries.php”)
if(!isset($_GET[‘catgid’]))
die();

// if the ‘catgid’ is not a number
if(!is_numeric($_GET[‘catgid’]))
die();

// if code passes to here, so the ‘catgid’ exists and it’s a number… Safe to use.
// Here we check if this category exists really (people can enter other numbers for catid in the url..)
$Query=”select * from category where id=’”.$_GET[‘catgid’].”’ limit 1”;
$result=mysqli_query($con,$Query);
if(mysqli_num_rows($result)==0) // if category with this id doesn’t exist, stop
die();

I hope it helps :)

267 posts
  • Freebie
  • Exclusive Author
  • Affiliate Level 2
  • Author Level 5
+2 more
huykhong
says

Check is_numeric first, worked for me. And use PDO :)

14 posts
  • 2 Years of Membership
  • Collector Level 4
  • Exclusive Author
  • United States
ameero
says

Well, I myself have used this:

// If the ‘catgid’ is not in the url. (for example “www.domain.com/catgries.php”)
if(!isset($_GET[‘catgid’]))
die();

// if the ‘catgid’ is not a number
if(!is_numeric($_GET[‘catgid’]))
die();
(// up to here is what i need to add ? \\) (// why did you run the query again down here ??? \\) // if code passes to here, so the ‘catgid’ exists and it’s a number… Safe to use.
// Here we check if this category exists really (people can enter other numbers for catid in the url..)
$Query=”select * from category where id=’”.$_GET[‘catgid’].”’ limit 1”;
$result=mysqli_query($con,$Query);
if(mysqli_num_rows($result)==0) // if category with this id doesn’t exist, stop
die();

I hope it helps :)
14 posts
  • 2 Years of Membership
  • Collector Level 4
  • Exclusive Author
  • United States
ameero
says

Check is_numeric first, worked for me. And use PDO :)

can you show me a pdo example for this and is_numric :) ? $sql=”select * from groups where catgId =”.mysql_real_escape_string($catgId).” order by size desc”;

also know pdo doesnt connect in my server i dont know why ? its installed fine though

mysqli works but it shows a problem

in each catagory there is a list of items , the catagory is shwoing but the itmes are not showing it just say query was empty

321 posts
  • 1 Year of Membership
  • Author Level 3
BizLogic
says
$id = (int)$_GET['catgid'];
14 posts
  • 2 Years of Membership
  • Collector Level 4
  • Exclusive Author
  • United States
ameero
says

$id = (int)$_GET['catgid'];

im really not good at php can you explain this :) ?

296 posts
  • Weekly Top Seller
  • Top Monthly Author
  • Featured Author
  • 6 Years of Membership
+6 more
themac
says
 $id = (int)$_GET['catgid'];
or

$id = intval($_GET['catgid']);
will turn the catgid into an integer if possible

“hallo” -> 0
“2’ and true” -> 2
” 123bla” -> 123
2 -> 2
b2 -> 0
2.5 -> 2

by
by
by
by
by
by