Results 1 to 5 of 5
Thread: SQL Injection Prevention
-
04-16-2014, 11:49 PM #1Newbie
- Join Date
- Mar 2014
- Posts
- 10
SQL Injection Prevention
Hello, so I used Web Cruiser Web Vulnerability Scanner to scan my site for SQL Injection vulnerabilities and everything seems good except one URL.
https://joopeng.com/mi/cart.php?a=add&pid=1^token=
Paramenter: token=
Type: Search
Keyword/ActionURL: Please
Vulnerabiliti: POST SQL Injection
How would I fix this?
Thank you in advance!
-
04-17-2014, 05:59 AM #2WHT Addict
- Join Date
- Aug 2009
- Posts
- 118
Is the token value being used to query your database? If it isn't then you can ignore the warning.
However if it is there a few possible things you can do, either just escape all the bad characters using the mysql_real_escape_string($token) function when passing token to your query.
Or a better way is to use prepared statements. Which is when queries and variables are passed to the database separately. There is plenty of instruction on this in the php documentation; this would be a good start: http://php.net/manual/en/mysqli.prepare.php
Hope this helps.██ www.hostlatch.com
██ SDD Hosting - SSD Reseller - Premium VPS
██ Premium UK Network - Instant Setup
-
04-17-2014, 12:15 PM #3Newbie
- Join Date
- Mar 2014
- Posts
- 10
But how can I do that when the cart.php is part of WHMCS (which is encoded)?
-
04-17-2014, 12:39 PM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-17-2014, 12:39 PM #5WHT Addict
- Join Date
- Aug 2009
- Posts
- 118
Ah sorry, I thought it was a personally written script. If its WHMCS then I definitely wouldn't worry about it. Any vulnerabilities it may have will have to be corrected by their dev team. I'm sure its fine though.
Regards
Similar Threads
-
[FEATURED] SQl Injection?
By vps_noob in forum Hosting Security and TechnologyReplies: 12Last Post: 04-28-2014, 11:34 PM -
sql injection
By darkeden in forum Hosting Security and TechnologyReplies: 9Last Post: 07-08-2009, 10:19 PM -
Prevention LFI and SQL injection attacks?
By olddocks in forum Hosting Security and TechnologyReplies: 6Last Post: 05-13-2008, 08:39 AM -
SQL Injection
By Zaitech in forum Programming DiscussionReplies: 11Last Post: 03-21-2006, 04:20 AM -
Sql injection
By goolex in forum Programming DiscussionReplies: 16Last Post: 02-11-2006, 02:57 PM