Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

› WebAssist Forums › Data Bridge › Data Bridge General / Announcements › sql injection

sql injection

Thread began 9/22/2020 1:50 am by Sweens | Last modified 10/09/2020 9:09 am by Ray Borduin | 1031 views | 22 replies |

9/22/2020 1:50 am | #1 Sweens

sql injection

Hi Ray

Hope you can help with this. I have a couple of pages that Jason helped me with originally and you helped me convert them to mysql_i. They use checkboxes to select email recipients. I'm told that the following lines leave the page vulnerable to an sql injection and hope there is an easy fix.

line 16: $WAFV_Errors .= WAValidateRQ(((isset($_POST["toEmail"]))?implode(", ",$_POST["toEmail"]):"") . "",false,2);

line 58: $Email->addBCC("".((isset($_POST["toEmail"]))?implode(", ",$_POST["toEmail"]):"") ."");

I've attached the page.

Many thank

Chris

9/22/2020 10:02 am | #2 Ray BorduinWebAssist

Those lines couldn't possible lead to sql injection... they aren't even tied to any database sql at all.

Did this help? Tips are appreciated...

9/22/2020 10:34 am | #3 Sweens

Hi Ray

My apologies - wrong piece of code. It's in the page has the recipients recordset (in p.m.

Cheers

Chris

9/22/2020 10:51 am | #4 Ray BorduinWebAssist

Try:

php:

<?php

$rsRecips = new WA_MySQLi_RS("rsRecips",$connRIBIT_i,0);

$rsRecips->setQuery("SELECT CONCAT(rotarians.FirstName, ' ', rotarians.Surname)AS RecipName FROM rotarians WHERE rotarians.MemEmail IN (?) AND ClubID=? AND rotarians.status=0 ORDER BY rotarians.Surname");

$rsRecips->bindParam("sl", "".(isset($_POST['toEmail'])?$_POST['toEmail']:"-1") ."", "-1"); //p1

$rsRecips->bindParam("i", "".$_SESSION['ClubID'] ."", "-1"); //p2

$rsRecips->execute();

?>

Did this help? Tips are appreciated...

9/22/2020 1:49 pm | #5 Sweens

Thanks Ray

The emails are sent, but each contains the following error message:

Notice: Array to string conversion in /home/sites/6b/5/5827535cbb/public_html/webassist/email/Rotary/members-email_body.php on line 6

Cheers

Chris

9/22/2020 2:46 pm | #6 Ray BorduinWebAssist

You shouldn't have changed the email code... just the recordset select statement. It shouldn't have any effect on your email code.

Line 58 should still be:
line 58: $Email->addBCC("".((isset($_POST["toEmail"]))?implode(", ",$_POST["toEmail"]):"") ."");

What is on members-email_body.php on line 6?

Did this help? Tips are appreciated...

9/22/2020 3:01 pm | #7 Sweens

Hi Ray

Thanks. I haven't modified anything except the recordset.

Line 6 is from the new recordset code:

$rsRecips->bindParam("sl", "".(isset($_POST['toEmail'])?$_POST['toEmail']:"-1") ."", "-1"); //p1

Cheers

Chris

9/22/2020 3:05 pm | #8 Ray BorduinWebAssist

Try changing it to:

$rsRecips->bindParam("sl", (isset($_POST['toEmail'])?$_POST['toEmail']:"-1") , "-1"); //p1

Did this help? Tips are appreciated...

9/22/2020 3:22 pm | #9 Sweens

Thanks Ray

That seems to have fixed it - no error on the emails.

Many thanks once again. See pm

Chris

9/28/2020 7:42 am | #10 Sweens

Hi Ray

Something else has come up - see pm - is there a way round that? Client very concerned about GDPR.

Thanks

Chris

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.