14 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 50+ items on Envato Market
ameero says

I know this is not the best place to ask for help, but I’m trying to find any possible solutions.

I recentally asked a freelancer to create a script for me. However this guy has no knowledge of protection.

I have an issue where there is a php page pulling catagories from the database.

there is only one sql qurey ( a select query ) how ever the catagories will be like this in a url www.yourdomain.com/catgories.php?catgid=2

I recentally found a blind sql injection and post header attack as a threats in this page. I found them using web valunrbles scanner.

I added a mysql real esacpe string to sop meliciouse injects but that seems not helping.

when i do this for example www.domain.com/catgries.php?catgid=2(and add here anything) an error message appear on screen saying expcected paramter to be etc.

Well may be there is an experianced developers here that can help me so please if you know what I mean try to help me.

note: ive been searching all over and found out how to use mysqli and real escape string. but couldnt use PDO because each time i try to connect to database using pdo it never gets connected. I dont know why.

also id=melicous code i dont know if the solution is in the query but maybe some other thing.

thanks

191 posts
  • Has referred 1+ members
  • Has sold $1,000+ on Envato Market
  • Has collected 1+ items on Envato Market
  • Sells items exclusively on Envato Market
+2 more
ArashFarivar says

I think, the ‘catgid’ must be a number. If so, you can check it at the first to see if it’s a number. If not, die() or redirect somewhere else. :)

14 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 50+ items on Envato Market
ameero says

what is the exact code to do this ?

i only have little knowledge of this :)

191 posts
  • Has referred 1+ members
  • Has sold $1,000+ on Envato Market
  • Has collected 1+ items on Envato Market
  • Sells items exclusively on Envato Market
+2 more
ArashFarivar says

Well, I myself have used this:

// If the ‘catgid’ is not in the url. (for example “www.domain.com/catgries.php”)
if(!isset($_GET[‘catgid’]))
die();

// if the ‘catgid’ is not a number
if(!is_numeric($_GET[‘catgid’]))
die();

// if code passes to here, so the ‘catgid’ exists and it’s a number… Safe to use.
// Here we check if this category exists really (people can enter other numbers for catid in the url..)
$Query=”select * from category where id=’”.$_GET[‘catgid’].”’ limit 1”;
$result=mysqli_query($con,$Query);
if(mysqli_num_rows($result)==0) // if category with this id doesn’t exist, stop
die();

I hope it helps :)

171 posts
  • Located in Asia/Pacific Region
  • Sells items exclusively on Envato Market
  • Has referred 10+ members
  • Has sold $10,000+ on Envato Market
+3 more
huykhong says

Check is_numeric first, worked for me. And use PDO :)

14 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 50+ items on Envato Market
ameero says

Well, I myself have used this:

// If the ‘catgid’ is not in the url. (for example “www.domain.com/catgries.php”)
if(!isset($_GET[‘catgid’]))
die();

// if the ‘catgid’ is not a number
if(!is_numeric($_GET[‘catgid’]))
die();
(// up to here is what i need to add ? \\) (// why did you run the query again down here ??? \\) // if code passes to here, so the ‘catgid’ exists and it’s a number… Safe to use.
// Here we check if this category exists really (people can enter other numbers for catid in the url..)
$Query=”select * from category where id=’”.$_GET[‘catgid’].”’ limit 1”;
$result=mysqli_query($con,$Query);
if(mysqli_num_rows($result)==0) // if category with this id doesn’t exist, stop
die();

I hope it helps :)
14 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 50+ items on Envato Market
ameero says

Check is_numeric first, worked for me. And use PDO :)

can you show me a pdo example for this and is_numric :) ? $sql=”select * from groups where catgId =”.mysql_real_escape_string($catgId).” order by size desc”;

also know pdo doesnt connect in my server i dont know why ? its installed fine though

mysqli works but it shows a problem

in each catagory there is a list of items , the catagory is shwoing but the itmes are not showing it just say query was empty

270 posts
  • Has sold $100+ on Envato Market
BizLogic says
$id = (int)$_GET['catgid'];
14 posts
  • Has been part of the Envato Community for over 1 year
  • Has collected 50+ items on Envato Market
ameero says

$id = (int)$_GET['catgid'];

im really not good at php can you explain this :) ?

166 posts
  • Has been part of the Envato Community for over 5 years
  • Has referred 10+ members
  • Has sold $10,000+ on Envato Market
  • Has collected 50+ items on Envato Market
+4 more
themac says
 $id = (int)$_GET['catgid'];
or

$id = intval($_GET['catgid']);
will turn the catgid into an integer if possible

“hallo” -> 0
“2’ and true” -> 2
” 123bla” -> 123
2 -> 2
b2 -> 0
2.5 -> 2

by
by
by
by
by
by