Rename adoptables (Security issue fixed!)

[Seapyramid]

*****CAUTION********
I used this today.. worked great.. went out, .. came home.., GREY SCREEN!! I call my host for that site & asked.. they found a hack entry from the script!! They fixed the issue on ALL pages & emailed me some info on protection. I will read the email in the morning & give for info. But there is a security issue in the mod.

Sea

[Rsmiley]

It doesnt filter for SQL injections i bet...

[kisazeky]

I included this

PHP Code:

$id = $_POST["id"];
$id = preg_replace("/[^a-zA-Z0-9s]/", "", $id);
$newname = $_POST["newname"];
$newname = preg_replace("/[^a-zA-Z0-9\\040.]/", "", $newname); 


What do I need to include to filter these injections, Rsmiley?

Edit: Maybe this will protect it?

Adding this to functions.php:

PHP Code:

function cleanQuery($string)
{
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }
  else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
} 


Then adding this line in rename2.php:

PHP Code:

if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']); 


What do you think Rsmiley?

It certainly does not hurt anything.

[Rsmiley]

It should be quite secure. I doubt it would be exploitable after that has been added.

You are safe with that added

[Ashje]

Quote:

Originally Posted by kisazeky

I included this

PHP Code:

$id = $_POST["id"];
$id = preg_replace("/[^a-zA-Z0-9s]/", "", $id);
$newname = $_POST["newname"];
$newname = preg_replace("/[^a-zA-Z0-9\\040.]/", "", $newname); 


What do I need to include to filter these injections, Rsmiley?

Edit: Maybe this will protect it?

Adding this to functions.php:

PHP Code:

function cleanQuery($string)
{
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }
  else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
} 


Then adding this line in rename2.php:

PHP Code:

if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']); 


What do you think Rsmiley?

It certainly does not hurt anything.

EDIT: I'm assuming that

PHP Code:

if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']); 


goes here:

Code:

$newname = $_POST["newname"];

but I get this error: "
PHP Error Message

Parse error: syntax error, unexpected T_IF in /home/---------/public_html/rename2.php on line 78

Free Web Hosting"

[kisazeky]

No, don't do that.

Add

PHP Code:

if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']); 


below

PHP Code:

$newname = $_POST["newname"]; 


Edit: Wait a minute, I just realized. Rusnak had the post data things before the connect to database script. That makes sense, hijackers can't input manipulative data if they don't have access to the database yet.

[Ashje]

^
All done, thanks =)

[Seapyramid]

Cool :) Thanks for the fix
:)
Sea

***EDIT***
**FYI**
This is an edit just because I do tend to hear things. I have just heard a rumor that Soleria stole code, just because they used this script without changing the Digimon reference. I corrected the person before they took this rumor further, but that is how easy rumors can start in this field. So please make sure you offer generic scripts & those using the scripts make sure you check them for issues like this.

Sea

[kisazeky]

Yes I did change this to be more generic.

[Seapyramid]

I'm sorry Kisazeky, when I said "you" I really didn't mean YOU. I know you had made the change to be more generic. :) I was just meaning "you" in general to anyone who might offer a script or design so that some unsuspecting site didn't get in trouble for something they didn't do. :)

Sea