Article Directory Owners Forum

[eArticlesOnline]

The sql injection is a real problem. I hate to bring too many things to light as hackers may see them too, but this is something if you're using the article dashboard code you need to do, or else people can just get right into the admin system, etc, in a couple of seconds. this is just good-old-fashioned input cleanup, the first thing you want to do with a codebase. however, it was never done in the original code.

put this into your setup.php file after the vars that are set:

Code: Select all

mysql_connect($dbhost,$dbuser, $dbpasswd) or die("Could not connect to a MySQL server using the default settings.");

function array_map_recursive( $func, $arr ) {
    $newArr = array();
    foreach( $arr as $key => $value ) {
        $newArr[ $key ] = ( is_array( $value ) ? array_map_recursive( $func, $value ) : $func( $value ) );
    }
    return $newArr;
}

// Clean up POST, GET, and COOKIES vars.
if (!get_magic_quotes_gpc())
{
    $_POST = array_map_recursive('
stripslashes',$_POST);
    $_GET  = array_map_recursive('stripslashes', $_GET);
    $_COOKIE  = array_map_recursive('stripslashes', $_COOKIE);
}

if ( function_exists("mysql_real_escape_string"))
{
    $_POST = array_map_recursive('mysql_real_escape_string',$_POST);
    $_GET  = array_map_recursive('mysql_real_escape_string', $_GET);
    $_COOKIE  = array_map_recursive('mysql_real_escape_string', $_COOKIE);
}
else
{
    $_POST = array_map_recursive('addslashes',$_POST);
    $_GET  = array_map_recursive('addslashes', $_GET);
    $_COOKIE  = array_map_recursive('addslashes', $_COOKIE);
}
// Done cleaning the vars
mysql_close();


in your .htaccess file, put near the top this line:

Code: Select all

php_value magic_quotes_gpc 0


now you are good. no more injection problems.

[GardenSimply]

Tony,

Thanks SO much for that! I wanted to ask if this will enable DO's (directory owners) to now safely allow use of the member profile? I have had this function disabled at all directories on our servers for some time.

[joebrochin]

I tried to insert this code into my setup.php on both of my directories.
When I did, it pushes the page down and shows the code on the webpage above the header image.

Am I doing something wrong?

[GardenSimply]

Joe~

At the bottom of your setup.php file you'll see these two lines...

$table_prefix = ""; (this line may or may not have a value... like prefix_
?>
the above line, ?> closes php, you want to keep it open for the rest of the information to be parsed.

Delete the ?> closing php tag so it looks more like...

$table_prefix = "";
mysql_connect($dbhost,$dbuser, $dbpasswd) or die("Could not connect to a MySQL server using the default settings.");
... rest of the code...

P.S. Just got in and will be responding to your email soon. Surgery tomorrow. (monday)

[joebrochin]

Thanks Jodi, as always, you are the heat!

[joebrochin]

oops, spoke too soon.

When I log into the admin area I get a MySql error. When I close the code with the ?> it goes away but end up with the original problem.

[GardenSimply]

Joe,

I think the way I have your directory set up there is a copy of the setup.php file in your admin folder.

You could get around always making sure that the proper file is in all the right places by putting the setup.php file in a more secure place...

Put the below code in the actual setup.php file wherever you use it (root folder, admin folder, etc)

Code: Select all

<?php include_once ('root folder/include/setup.php');?>

This may look something like, <?php include_once ('/home/username/include/setup.php');?>

Where root folder is the path in your set up folder (do not use the directory name if installed in a directory, this is NOT the path to the directory, but rather a place below public_html <httpdocs, whatever> not accessible by a browser

Then create a folder, 'includes' and put your setup.php file in it. This way if you ever make changes to this file (moving server, etc) all you'll have to do is make a change to this one file and it changes it everywhere it is used.

[manifold]

My site was hacked. I was able to restore it completely from backup.

I applied the code here to my site. However, now I notice some different characters in new submitted articles. Throughout the articles there are "rnrn" placed randomly and "/" by apostrophes. Even after I approve the articles, the characters are still there. All older articles are unaffected.

Any ideas?

Thanks for any help.

[GardenSimply]

Anyone else experiencing this issue since using this fix?

[manifold]

Hi Jodi.

I really don't see why it would affect it and am not sure what does regulate the text. Besides doing this, I also password protected my admin and deleted the 2 edit template files.

This install, which you installed, has worked perfect for years. There doesn't seem to be any reason why these few things would cause this.

I don't know.

[GardenSimply]

Okay... Tony's on it... I heard back from him today. He says...

more than likely, there's some gpc oddity going on, and these lines:
if (!get_magic_quotes_gpc())
{
$_POST = array_map_recursive('stripslashes',$_POST);
$_GET = array_map_recursive('stripslashes', $_GET);
$_COOKIE = array_map_recursive('stripslashes', $_COOKIE);
}

that remove slashes if the gpc functionality is adding them is
removing it taking it to rn from \r\n. you could probably remove
these lines temporarily and if that fixes it, we know what, tho the
why it would cause a problem i'm not totally sure.

i'm still trying to cause this problem, as if i can cause it i can
probably have it fixed inside a couple of mins.

So I got him into one of my directories and he's having a looksee... will post details forthwith.

[eArticlesOnline]

i finally got it.

in your .htaccess file, put near the top this line:

Code: Select all

php_value magic_quotes_gpc 0


the problem is that only in some files is the input attempted to be cleaned, like submitting articles.
in others, like the login pages, etc, it is not done.

obviously the real solution is to clean it in one central location like i put above for the setup.php file. the magic_quotes_gpc has been off by default since php 4.2.3, where the preferred solution is to clean it via the mysql_real_escape_string() like i put in the clean code above. i worked around the encoded parts of the code enough to show that it was fine before the encoded section altered it.

so, without really going further into the details, put the above line near the top of the .htaccess file and the problem will be solved in a few seconds.

[YummyArticles]

Thanks for this!

[YummyArticles]

I just got this error trying to log into my admin CP: Fatal error: Call to undefined function stripslashes() in /home/jrcdesig/public_html/yummy/setup.php on line 18

[Joshua]

I have the same problem as YummyArticles

Is the mysql injection problem an issue if you password protect the admin directory?