Today i checked my script with acunetix and found a "Blind SQL injection" in one of my files.
Accunetix Message:
Attack details
HTTP Header input x-forwarded-for was set to 1' and sleep(2)='
How to fix this vulnerability:
Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability.
I have escaped all input with mysql_real_escape_string() func, but error existing yet.
I tried to filter this header in my file with this code:
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
mysql_real_escape_string(addslashes(($_SERVER['HTTP_X_FORWARDED_FOR'])));
But doesn't work. please help!
It's better to use a PDO prepared statement to prevent SQL injection, than to try to create your own "scripts" and just escaping characters is not enough to prevent SQL injections
Have a look here for PDO prepared statement : http://php.net/manual/en/pdo.prepared-statements.php
Most likely your application utilizes some sort of flawed function "to determine visitor's IP address."
Taking aside the fact that using HTTP_X_FORWARDED_FOR for this purpose is wrong , most likely it explains why your awkward escaping doesn't work.
It seems that the system takes an IP address in some variable before you escape it. And then this variable goes into query, while you are escaping harmless XFF.
And here goes the real explanation, why you ought to use prepared statements: because they format the exactly proper value, right where it should be. Makes it no way to slip up with too early escaping.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.