Yo,
How do I test whether my site is protected from injection attacks? The only error I get is
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/***/public_html/*******/ideas.php on line 87
Is that injectable? If so how and how do I stop it?
So long as you escape and validate all user inputs, you should be fine. I'd also advise using PHP's PDO rather than the old mysql_* functions.
Hmmm ok, is it possible to inject through that though?
Make sure that you've connected to the database first, and that the syntax of the query is correct.
You cannot 'inject' through a MySQL error. It's just that. An error.
As long as you're escaping/validating the input you're fine.
Not so long as you're careful and make use of Prepared Statements. As a rule, I always validate any user input before allowing it anywhere near a database. You can never be too careful after all.
I was just told on HF that is it vulnerable :/
(2011-12-25, 11:51 PM)itheme Wrote: [ -> ]I was just told on HF that is it vulnerable :/
Source #1: A PHP developer
Source #2: A kid on a hacking forum
There's a huge difference.
What's the full code you're using?
True, I was just testing, what's the point in protecting it if it's not vulnerable?
The issue you're having is the script simply doesn't work, however you're running it.
The specific error isn't showing that it's potentially vulnerable, but that doesn't mean it isn't.
Are you using mysql_escape_string(), intval(), and other data type validation functions?
It does work but i just added ' at the end and it failed/