Bugs? In my PHP? It's more likely than you think
Level 7
There is only one line that has a vuln, correct it. The output does not have to be valid XHTML and assume that a mysql connection has been made already.
There is a bug as well as a vuln. You MUST fix both.
Here is the script:
<?php
if (!empty($_POST['data']))
{
$data = mysql_real_escape_string($_POST['data']);
mysql_query("INSERT INTO tbl_data (data) VALUES ('$data')");
}
?>
<form name="grezvahfvfnjuvavatovgpu" action="<?=$_SERVER['PHP_SELF']?>" method="get">
<input type="text" name="data" />
<input type="submit" />
</form>
Dev note
We're sick of getting bug reports saying <?= ... ?> isn't valid php syntax. If you don't believe us, consult the first page of the php.net language reference.
___________________
|___________________|check
Solution:
- This script uses PHP function mysql_real_escape_string() to avoid SQL Injection attack. It's correct.
Reference: http://tw.php.net/manual/en/function.mysql-real-escape-string.php
- But don't forget that the textarea often suffers from XSS attack and mysql_real_escape_string() does bot escape % and _.
- So, you need use PHP function htmlspecialchars() to convert special characters to HTML entities.
Reference: http://tw.php.net/manual/en/function.htmlspecialchars.php
- Another problem is that the method of HTML form does not match with the PHP $_POST function.
- So, input the HTML code below and check.
< form name="grezvahfvfnjuvavatovgpu" action="< ?=htmlspecialchars($_SERVER['PHP_SELF'])?>" method="post">
- It's done!