• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • 2026 staff recruitment is open! Check it out and consider applying!

PHP File - Remove SQL injection

oldtimes

oldtimes

Member
Joined
Jan 21, 2013
Messages
311
Reaction score
23
I need help to remove sql injection from a PHP file.
I bought a file that make it possible for the seller to sql inject.
And he have been abusing it!

Here is the code:


PHP: 
<?php
session_start();
include ("include.inc.php");
$ptitle="Shop - $cfg[server_name]";
include ("header.inc.php");
$SQL = AAC::$SQL;
$idd = mysql_real_escape_string($_GET['id']);
$query = mysql_query("SELECT * FROM shop WHERE id = $idd");
$check = mysql_fetch_assoc($query);
if ($query = $check) {

} else {

header("Location: news.php");

}

?>
<div id="content">
<div class="top">Buying item :
<?PHP

$SQL = AAC::$SQL;
$id = $_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $id");
while ($row = mysql_fetch_assoc($query)) {
$name = $row['name'];
echo $name;
}
?>
</div>
<div class="mid">
<?PHP
echo '<b><font color ="red"><b></font></b><br></b>';
echo '<br>';
$id = $_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $id");
while ($row = mysql_fetch_assoc($query)) {
$name = $row['name'];
$cost = $row['price'];
$xxuiu = $row['image'];
$_SESSION['coste'] = $cost;
$_SESSION['ider'] = $xxuiu;
echo 'You are buying<b> '.$name.'</b> for<b> '.$cost.' points</b><br>';
echo'<br>';
}
echo '
<form action="buy.php?id='.$id.'" method="POST" >
<input type="text" name="username"> Character name<br />
<br />
<input type="submit" name="submit" value="Buy"><br />
';
?>
<?PHP
echo'<br>';
if ($_POST['submit']) {

$user = (mysql_real_escape_string($_POST['username']));

if ($user) {


$check = mysql_query("SELECT name FROM players WHERE name = '$user'");
$row99 = mysql_fetch_assoc($check);
if (mysql_num_rows($check) >= 1) {
$quer = mysql_query("SELECT points FROM players WHERE name = '$user'");
while ($rowwe = mysql_fetch_assoc($quer)) {
$row9 = $rowwe['points'];
}
$valor = $_SESSION['coste'];
if ($row9 >= $valor) {
$idmg = $_SESSION['ider'];
$idplayer = mysql_query("SELECT * FROM players WHERE name = '$user'");
while ( $row1 = mysql_fetch_assoc($idplayer)) {
$idpp = $row1['id'];
}

$pod = mysql_query("SELECT MAX(sid) AS maxsid FROM player_items WHERE player_id = '$idpp'");
while( $ped = mysql_fetch_assoc($pod)) {
$pud = $ped['maxsid'];
$pud++;
}


$dar = mysql_query("INSERT INTO player_items VALUES('".$idpp."', '".$pud."', '10', '".$idmg."', '1', '')");
$lose = mysql_query("UPDATE players SET points = $row9 - $valor WHERE name = '$user'");
echo 'You succesfully bought your item! it was now added to your backpack, have fun!';
} else {


$querry = mysql_query("SELECT points FROM players WHERE name = '$user'");
while ($rowe = mysql_fetch_assoc($querry)) {
$row19 = $rowe['points'];

$querryy = mysql_query("SELECT * FROM players WHERE name = '$row18'");
while ($rowe1 = mysql_fetch_assoc($querryy))
$row22 = $rowe1['id'];
$dar = mysql_query("INSERT INTO player_items VALUES('".$row22."', '110', '10', '2498', '1', '')");
echo 'You need more points. Actually you have got <b>'.$row19.' points.</b>';
}

}

} else {

echo '<b> User does not exist. </b>';
}
} else {

echo 'Please enter name.';
}
}
?>
</div>
<div class="bot"></div>
</div>
<?php include ("footer.inc.php");?>
 
Last edited by a moderator:
Sort by date Sort by votes
Im not pro, but here:
Code: 
$idd = mysql_real_escape_string($_GET['id']);

is sql protection, here:
$id = $_GET['id'];

doesnt seem to be.

<edit> Im not sure, escape_string might not be for ID variables
 
Last edited:
Upvote 0 Downvote
Found 3 - 4 security holes after a quick look, there might be more which are less obvious as well.

Here:
PHP: 
<?php
session_start();
include ("include.inc.php");
$ptitle="Shop - $cfg[server_name]";
include ("header.inc.php");
$SQL = AAC::$SQL;
$idd = (int)$_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $idd");
$check = mysql_fetch_assoc($query);
if ($query = $check) {

} else {

header("Location: news.php");

}

?>
<div id="content">
<div class="top">Buying item :
<?PHP

$SQL = AAC::$SQL;
$id = (int)$_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $id");
while ($row = mysql_fetch_assoc($query)) {
$name = $row['name'];
echo $name;
}
?>
</div>
<div class="mid">
<?PHP
echo '<b><font color ="red"><b></font></b><br></b>';
echo '<br>';
$id = (int)$_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $id");
while ($row = mysql_fetch_assoc($query)) {
$name = $row['name'];
$cost = $row['price'];
$xxuiu = $row['image'];
$_SESSION['coste'] = $cost;
$_SESSION['ider'] = $xxuiu;
echo 'You are buying<b> '.$name.'</b> for<b> '.$cost.' points</b><br>';
echo'<br>';
}
echo '
<form action="buy.php?id='.$id.'" method="POST" >
<input type="text" name="username"> Character name<br />
<br />
<input type="submit" name="submit" value="Buy"><br />
';
?>
<?PHP
echo'<br>';
if ($_POST['submit']) {

$user = (mysql_real_escape_string($_POST['username']));

if ($user) {


$check = mysql_query("SELECT name FROM players WHERE name = '$user'");
$row99 = mysql_fetch_assoc($check);
if (mysql_num_rows($check) >= 1) {
$quer = mysql_query("SELECT points FROM players WHERE name = '$user'");
while ($rowwe = mysql_fetch_assoc($quer)) {
$row9 = $rowwe['points'];
}
$valor = $_SESSION['coste'];
if ($row9 >= $valor) {
$idmg = $_SESSION['ider'];
$idplayer = mysql_query("SELECT * FROM players WHERE name = '$user'");
while ( $row1 = mysql_fetch_assoc($idplayer)) {
$idpp = $row1['id'];
}

$pod = mysql_query("SELECT MAX(sid) AS maxsid FROM player_items WHERE player_id = '$idpp'");
while( $ped = mysql_fetch_assoc($pod)) {
$pud = $ped['maxsid'];
$pud++;
}


$dar = mysql_query("INSERT INTO player_items VALUES('".$idpp."', '".$pud."', '10', '".$idmg."', '1', '')");
$lose = mysql_query("UPDATE players SET points = $row9 - $valor WHERE name = '$user'");
echo 'You succesfully bought your item! it was now added to your backpack, have fun!';
} else {


$querry = mysql_query("SELECT points FROM players WHERE name = '$user'");
while ($rowe = mysql_fetch_assoc($querry)) {
$row19 = $rowe['points'];

$querryy = mysql_query("SELECT * FROM players WHERE name = '$row18'");
while ($rowe1 = mysql_fetch_assoc($querryy))
$row22 = $rowe1['id'];
$dar = mysql_query("INSERT INTO player_items VALUES('".$row22."', '110', '10', '2498', '1', '')");
echo 'You need more points. Actually you have got <b>'.$row19.' points.</b>';
}

}

} else {

echo '<b> User does not exist. </b>';
}
} else {

echo 'Please enter name.';
}
}
?>
</div>
<div class="bot"></div>
</div>
<?php include ("footer.inc.php");?>
 
Upvote 0 Downvote
Znote said:
Found 3 - 4 security holes after a quick look, there might be more which are less obvious as well.

Here:
PHP: 
<?php
session_start();
include ("include.inc.php");
$ptitle="Shop - $cfg[server_name]";
include ("header.inc.php");
$SQL = AAC::$SQL;
$idd = (int)$_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $idd");
$check = mysql_fetch_assoc($query);
if ($query = $check) {

} else {

header("Location: news.php");

}

?>
<div id="content">
<div class="top">Buying item :
<?PHP

$SQL = AAC::$SQL;
$id = (int)$_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $id");
while ($row = mysql_fetch_assoc($query)) {
$name = $row['name'];
echo $name;
}
?>
</div>
<div class="mid">
<?PHP
echo '<b><font color ="red"><b></font></b><br></b>';
echo '<br>';
$id = (int)$_GET['id'];
$query = mysql_query("SELECT * FROM shop WHERE id = $id");
while ($row = mysql_fetch_assoc($query)) {
$name = $row['name'];
$cost = $row['price'];
$xxuiu = $row['image'];
$_SESSION['coste'] = $cost;
$_SESSION['ider'] = $xxuiu;
echo 'You are buying<b> '.$name.'</b> for<b> '.$cost.' points</b><br>';
echo'<br>';
}
echo '
<form action="buy.php?id='.$id.'" method="POST" >
<input type="text" name="username"> Character name<br />
<br />
<input type="submit" name="submit" value="Buy"><br />
';
?>
<?PHP
echo'<br>';
if ($_POST['submit']) {

$user = (mysql_real_escape_string($_POST['username']));

if ($user) {


$check = mysql_query("SELECT name FROM players WHERE name = '$user'");
$row99 = mysql_fetch_assoc($check);
if (mysql_num_rows($check) >= 1) {
$quer = mysql_query("SELECT points FROM players WHERE name = '$user'");
while ($rowwe = mysql_fetch_assoc($quer)) {
$row9 = $rowwe['points'];
}
$valor = $_SESSION['coste'];
if ($row9 >= $valor) {
$idmg = $_SESSION['ider'];
$idplayer = mysql_query("SELECT * FROM players WHERE name = '$user'");
while ( $row1 = mysql_fetch_assoc($idplayer)) {
$idpp = $row1['id'];
}

$pod = mysql_query("SELECT MAX(sid) AS maxsid FROM player_items WHERE player_id = '$idpp'");
while( $ped = mysql_fetch_assoc($pod)) {
$pud = $ped['maxsid'];
$pud++;
}


$dar = mysql_query("INSERT INTO player_items VALUES('".$idpp."', '".$pud."', '10', '".$idmg."', '1', '')");
$lose = mysql_query("UPDATE players SET points = $row9 - $valor WHERE name = '$user'");
echo 'You succesfully bought your item! it was now added to your backpack, have fun!';
} else {


$querry = mysql_query("SELECT points FROM players WHERE name = '$user'");
while ($rowe = mysql_fetch_assoc($querry)) {
$row19 = $rowe['points'];

$querryy = mysql_query("SELECT * FROM players WHERE name = '$row18'");
while ($rowe1 = mysql_fetch_assoc($querryy))
$row22 = $rowe1['id'];
$dar = mysql_query("INSERT INTO player_items VALUES('".$row22."', '110', '10', '2498', '1', '')");
echo 'You need more points. Actually you have got <b>'.$row19.' points.</b>';
}

}

} else {

echo '<b> User does not exist. </b>';
}
} else {

echo 'Please enter name.';
}
}
?>
</div>
<div class="bot"></div>
</div>
<?php include ("footer.inc.php");?>
Click to expand...


Why this string?

$dar = mysql_query("INSERT INTO player_items VALUES('".$row22."', '110', '10', '2498', '1', '')");
 
Upvote 0 Downvote
Back
Top