How to stop SQL Injections on this PHPBase Framework code?

Security and PHP
#1

This is old open source from a few years ago, but not secure. However, I can not figure out how to make it sanitize user input in login fields. It’s under SQL 4.1 and PHP 5.2

[pre]<?php function DoEvents($that) { global $_CONF , $_TSM , $base; $_TSM["MENU"] = ""; // verify valid user if (!$_SESSION["minibase"]["user"]) { if ($_SERVER["REQUEST_METHOD"] == "POST") { // log user in $user = $that->db->QFetchArray("select * from {$that->tables[users]} where `user_login` = '{$_POST[user]}' AND `user_password` = '{$_POST[pass]}'"); if (is_array($user)) { $_SESSION["minibase"]["user"] = 1; $_SESSION["minibase"]["raw"] = $user; // if valid user send to main header("Location: $_CONF[default_location]"); exit; } else return $that->templates["login"]->blocks["Login"]->output; } else return $that->templates["login"]->blocks["Login"]->output; } if ($_SESSION["minibase"]["raw"]["user_level"] == 0) { $_TSM["MENU"] = $that->templates["login"]->blocks["MenuAdmin"]->output; } else { $_TSM["MENU"] = $that->templates["login"]->blocks["MenuUser"]->output; } if (!$_POST["task_user"]) $_POST["task_user"] = $_SESSION["minibase"]["user"]; if($_SESSION["minibase"]["raw"]["user_level"] == 1) { $_CONF["forms"]["adminpath"] = $_CONF["forms"]["userpath"]; } switch ($_GET["sub"]) { case "logout": unset($_SESSION["minibase"]["user"]); header("Location: index.php"); return $that->templates["login"]->EmptyVars(); break; case "notes": case "transactions": case "products": case "vendors": case "suppliers": case "workers": case "users": if ($_GET["sub"] == "workers") { if ((!$_GET["action"])&&($_SESSION["minibase"]["raw"]["user_level"] != 0 )) { $_GET["action"] = "details"; } if ($_SESSION["minibase"]["raw"]["user_level"] == 1) { $_GET["user_id"] = $_SESSION["minibase"]["raw"]["user_id"]; $_POST["user_id"] = $_SESSION["minibase"]["raw"]["user_id"]; } } if (is_subaction("suppliers" , "details") || (is_subaction("products" , "details") && !$_GET["section"])) { $notes = new CSQLAdmin("notes", $_CONF["forms"]["admintemplate"],$that->db,$that->tables , $extra); $extra["details"]["after"] .= $notes->DoEvents(); } if (is_subaction("products" , "details") && $_GET["section"]) { $notes = new CSQLAdmin("transactions", $_CONF["forms"]["admintemplate"],$that->db,$that->tables , $extra); $extra["details"]["after"] .= $notes->DoEvents(); } $data = new CSQLAdmin($_GET["sub"], $_CONF["forms"]["admintemplate"],$that->db,$that->tables , $extra); if (is_subaction("products" , "details") && $_GET["section"]) { // remove certain info unset($data->forms["forms"]["details"]["fields"]["item_location"]); } return $data->DoEvents(); break; case "export": switch ($_GET["action"]) { case "products": header("Content-Type: text/x-csv"); header("Content-Disposition: inline; filename=products.csv"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Pragma: public"); echo putcsv(array("Name","Part Number","Count")); $products = $that->db->QFetchRowArray("SELECT * FROM {$that->tables[products]}"); if (is_array($products)) { foreach ($products as $key => $val) { echo putcsv(array($val["item_title"] , $val["stock_id"] , $val["in_stock"]),','); } } die(); break; case "transactions": header("Content-Type: text/x-csv"); header("Content-Disposition: inline; filename=transactions.csv"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Pragma: public"); echo putcsv(array("Date of Transaction", "Description", "UserName", "Transaction ID", "Change")); $transactions = $that->db->QFetchRowArray("SELECT * FROM {$that->tables[transactions]} WHERE qty_product='{$_GET[stock_id]}'"); if (is_array($transactions)) { foreach ($transactions as $key => $val) { //read the user $tmp = $that->db->QFetchArray("SELECT * FROM {$that->tables[users]} WHERE user_id='{$val[qty_user]}'"); $val["user"] = $tmp["user_name"]; echo putcsv(array(date("m/d/Y" , $val["qty_date2"]), str_replace("\n",'',$val["qty_description"]), $val["user"], $val["qty_id"], $val["qty_inventory"] > 0 ? ("+" . $val["qty_inventory"] ) : $val["qty_inventory"] ) ); } } die; break; default: header("Location: ../index.php"); exit; break; } //Name Part Number Count break; default: return "Welcome!"; break; } } ?>[/pre]

#2

All you need to do is take the post variuables and add them to variables then secure them by using functions such as mysql_real_escape_string() which will make data save for databases, strip_tags() which removes any tags from the data:

[php]//capture post data to vars
$user = $_POST[‘user’];
$pass = $_POST[‘pass’];

//esacpe date for database
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);

//remove all tags from post data
$user = strip_tags($user);
$pass = strip_tags($pass);

$user = $that->db->QFetchArray(“select * from {$that->tables[users]} where user_login = ‘$user’ AND user_password = ‘$pass’”); [/php]

Sponsor our Newsletter | Privacy Policy | Terms of Service