Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   TBDev (http://www.bvlist.com/forumdisplay.php?f=20)
-   -   recover.php SQL injection (http://www.bvlist.com/showthread.php?t=11825)

BamBam0077 5th November 2018 05:53
recover.php SQL injection
 
PHP Code:
mysql_query("UPDATE users SET secret=" sqlesc($sec) . ", editsecret='', passhash=" sqlesc($newpasshash) . " WHERE id=$id AND editsecret=" sqlesc($arr["editsecret"])); 

You need to add ".sqlesc($id)." To stop SQL injection

Napon 5th November 2018 11:28
PHP Code:
mysql_query("UPDATE users SET secret=" sqlesc($sec) . ", editsecret='', passhash=" sqlesc($newpasshash) . " WHERE id=$id AND editsecret=" sqlesc($arr["editsecret"])); 

DND 5th November 2018 12:47
this issue will have only old codes. newer codes are all patched

Napon 5th November 2018 23:03
DND very true:drink:
Same with torranttrader mysqli

BamBam0077 1st December 2018 07:22
My 2cents worth is people still download tbdev over other sources without realising the security risk and yeah I send them to other sources just like you though I find it interesting that no one has explained any of the insecurity of this engine except if you google tbdev09 exploits which is bullshit as I thought this forum was gonna teach it as I have noticed I have been misguided :gum:

Napon 1st December 2018 13:09
fuill of crap i see again


All times are GMT +2. The time now is 07:37.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.