Results 1 to 5 of 5
  1. #1

    SQL Injection Prevention

    Hello, so I used Web Cruiser Web Vulnerability Scanner to scan my site for SQL Injection vulnerabilities and everything seems good except one URL.

    https://joopeng.com/mi/cart.php?a=add&pid=1^token=

    Paramenter: token=
    Type: Search
    Keyword/ActionURL: Please
    Vulnerabiliti: POST SQL Injection

    How would I fix this?

    Thank you in advance!

  2. #2
    Is the token value being used to query your database? If it isn't then you can ignore the warning.

    However if it is there a few possible things you can do, either just escape all the bad characters using the mysql_real_escape_string($token) function when passing token to your query.

    Or a better way is to use prepared statements. Which is when queries and variables are passed to the database separately. There is plenty of instruction on this in the php documentation; this would be a good start: http://php.net/manual/en/mysqli.prepare.php

    Hope this helps.
    www.hostlatch.com
    SDD Hosting - SSD Reseller - Premium VPS
    Premium UK Network - Instant Setup

  3. #3
    But how can I do that when the cart.php is part of WHMCS (which is encoded)?

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by Pengo26 View Post
    But how can I do that when the cart.php is part of WHMCS (which is encoded)?
    Contact WHMCS if you feel you have a SQLi.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Ah sorry, I thought it was a personally written script. If its WHMCS then I definitely wouldn't worry about it. Any vulnerabilities it may have will have to be corrected by their dev team. I'm sure its fine though.

    Regards

Similar Threads

  1. [FEATURED] SQl Injection?
    By vps_noob in forum Hosting Security and Technology
    Replies: 12
    Last Post: 04-28-2014, 11:34 PM
  2. sql injection
    By darkeden in forum Hosting Security and Technology
    Replies: 9
    Last Post: 07-08-2009, 10:19 PM
  3. Prevention LFI and SQL injection attacks?
    By olddocks in forum Hosting Security and Technology
    Replies: 6
    Last Post: 05-13-2008, 08:39 AM
  4. SQL Injection
    By Zaitech in forum Programming Discussion
    Replies: 11
    Last Post: 03-21-2006, 04:20 AM
  5. Sql injection
    By goolex in forum Programming Discussion
    Replies: 16
    Last Post: 02-11-2006, 02:57 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •