[Phpwm] site critique please

Phil Beynon phil at infolinkelectronics.co.uk
Tue Jan 16 17:24:02 GMT 2007


> Phil Beynon wrote:
> > Hi all,
> >
> > Just finisheed my latest user content managed showcase site, if
> anyone on
> > the list would like to take a look and give me any feedback
> regarding any
> > aspect of it........
> >
> > http://www.ralphsutcliffeminerals.co.uk/index.php
> >
>
>
> I think it's vulnerable to SQL injection attacks, e.g.
>
> http://www.ralphsutcliffeminerals.co.uk/full_arc.php?ident=1768'888
>
> thanks
> David.
>
> --
> David Goodwin
>
> [ david at codepoets dot co dot uk ]
> [ http://www.codepoets.co.uk       ]
>

Hi David,

How?
All that's making it do is throw a MySQL error and immediately exit;

$result1 = mysql_query("SELECT * FROM page_content WHERE id = '$ident';");
if(!$result1){echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();}

There's a couple of variables that come from the siteconfig, but these would
overwrite anything injected due to when they are read in.

Phil




More information about the Phpwm mailing list