Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Web Coding › Whats wrong with this simple script?
New Posts  All Forums:Forum Nav:

Whats wrong with this simple script?

post #1 of 10
Thread Starter 
Hi ive created a simple change theme script, thats writes to database what is the theme name i want to load.
Its all working on my pc (localhost) with appserver, but once i put it on a host it no longer works.
Code:
<?php
if (isset($settheme))   {
$changetheme = $_GET['settheme'];
mysql_query("UPDATE theme SET name = '$changetheme'"); 
$rc = mysql_affected_rows();
if ($rc != null)        {
echo "<div class='popup-message'>grats, theme has been changet to $changetheme</div>";
?>
 <script type="text/JavaScript">
      setTimeout("location.href = '<?php echo $site_url ?>';",2000);
 </script>
<?php
}
}

?>

And the tables and collums ARE correct. And the link to changing a theme in my case is ?setheme=themename i clicked on.
Edited by Zvejniex - 4/5/13 at 4:57am
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
post #2 of 10
Quote:
Originally Posted by Zvejniex View Post

Hi ive created a simple change theme script, thats writes to database what is the theme name i want to load.
Its all working on my pc (localhost) with appserver, but once i put it on a host it no longer works.
Code:
<?php
if (isset($settheme))   {
$changetheme = $_GET['settheme'];
mysql_query("UPDATE theme SET name = '$changetheme'"); 
$rc = mysql_affected_rows();
if ($rc != null)        {
echo "<div class='popup-message'>grats, theme has been changet to $changetheme</div>";
?>
 <script type="text/JavaScript">
      setTimeout("location.href = '<?php echo $site_url ?>';",2000);
 </script>
<?php
}
}

?>

should be:
Code:
<?php
if(isset($_GET['settheme'])){ //change here
    $changetheme = $_GET['settheme'];
    mysql_query("UPDATE theme SET name = '$changetheme'"); //you may need to add a WHERE here (depending on how it's set up)- NOTE: this function is deprectaed as of PHP5.5
    $rc = mysql_affected_rows(); //- NOTE: this function is deprectaed as of PHP5.5
    if ($rc != null){
        echo "<div class='popup-message'>grats, theme has been changet to $changetheme</div>";
        ?>
        <script type="text/JavaScript">
            setTimeout(function(){ //change here
                window.location.href = '<?php echo $site_url ?>'; //is $site_url set anywhere? maybe use: window.location.reload()
            }, 2000);
        </script>
        <?php
    }
}
?>

Edited by pierowheelz - 4/5/13 at 5:31am
Computer
(20 items)
 
 
Work Computer
(9 items)
 
CPUMotherboardGraphicsRAM
i5 2500k ASROCK Z68 extreme 3 Gigabyte GTX 670 Windforce 2GB + Massive OC 4x Corsair Vengeance 4GB (16GB) 
Hard DriveHard DriveOptical DriveCooling
Samsung 830 SSD Seagate Barracuda RAID0 LG Blu Ray Burner Cooler Master V6 
CoolingCoolingCoolingOS
3x Xigmatek 120mm Case fans Cooler Master 120mm Case fan NZXT Sentry Fan Controller Windows 8 Pro x64 
MonitorMonitorKeyboardPower
2x LG W2363D (3D) SURROUND Acer V233HL SURROUND Logitech unifying K320 Thermaltake Toughpower XT 875W 
CaseMouseAudioOther
Cooler Master Elite 430 Logitech Anywhere MX M905 Logitech 5.1 NVIDIA 3D Vision Wireless Glasses Kit 
CPUGraphicsRAMHard Drive
i5 - 3317U Intel HD 4000 4GB 128GB SSD 
OSMonitorMouse
Windows 7 Home Premium 1080p 13" Logitech M555b Bluetooth mouse 
CPUGraphicsRAMHard Drive
i7 - 2600 9800gt 8GB DDR3 1TB 
OSMonitorKeyboardMouse
Windows 7 Professional (64 bit) 3 x ASUS 23" Ducky DK9008G2PRO Mechanical Keyboard (Cherry M... Logitech M705 
Audio
Sennheiser PX200-II 
  hide details  
Reply
Computer
(20 items)
 
 
Work Computer
(9 items)
 
CPUMotherboardGraphicsRAM
i5 2500k ASROCK Z68 extreme 3 Gigabyte GTX 670 Windforce 2GB + Massive OC 4x Corsair Vengeance 4GB (16GB) 
Hard DriveHard DriveOptical DriveCooling
Samsung 830 SSD Seagate Barracuda RAID0 LG Blu Ray Burner Cooler Master V6 
CoolingCoolingCoolingOS
3x Xigmatek 120mm Case fans Cooler Master 120mm Case fan NZXT Sentry Fan Controller Windows 8 Pro x64 
MonitorMonitorKeyboardPower
2x LG W2363D (3D) SURROUND Acer V233HL SURROUND Logitech unifying K320 Thermaltake Toughpower XT 875W 
CaseMouseAudioOther
Cooler Master Elite 430 Logitech Anywhere MX M905 Logitech 5.1 NVIDIA 3D Vision Wireless Glasses Kit 
CPUGraphicsRAMHard Drive
i5 - 3317U Intel HD 4000 4GB 128GB SSD 
OSMonitorMouse
Windows 7 Home Premium 1080p 13" Logitech M555b Bluetooth mouse 
CPUGraphicsRAMHard Drive
i7 - 2600 9800gt 8GB DDR3 1TB 
OSMonitorKeyboardMouse
Windows 7 Professional (64 bit) 3 x ASUS 23" Ducky DK9008G2PRO Mechanical Keyboard (Cherry M... Logitech M705 
Audio
Sennheiser PX200-II 
  hide details  
Reply
post #3 of 10
Thread Starter 
Ty! +rep
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
post #4 of 10
Thread Starter 
Wouldnt the reload function put me i a loop? Or mysql wouldnt update if the data is matched the data it was going to post?
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
post #5 of 10
Infinite loop would be a possibility with this setup, might want to nullify your $_GET var to remove that chance.

Also, this screams SQL Injection, please parametrize your inputs for your queries using mysqli, this is an excellent stackoverflow post on how to do so.
AMD Rig
(12 items)
 
  
CPUMotherboardGraphicsGraphics
8320 FX Gigabyte 990FX-UD3 XFX R9 270X XFX R9 270X 
RAMHard DriveOptical DriveCooling
Crucial Ballistix Sport Kingston V300 Bluray Cooler Master Seidon 240M 
OSKeyboardPowerCase
Windows 7 x64 Ultimate CM QuickFire Corsair CX750M Corsair 540 Air 
  hide details  
Reply
AMD Rig
(12 items)
 
  
CPUMotherboardGraphicsGraphics
8320 FX Gigabyte 990FX-UD3 XFX R9 270X XFX R9 270X 
RAMHard DriveOptical DriveCooling
Crucial Ballistix Sport Kingston V300 Bluray Cooler Master Seidon 240M 
OSKeyboardPowerCase
Windows 7 x64 Ultimate CM QuickFire Corsair CX750M Corsair 540 Air 
  hide details  
Reply
post #6 of 10
Thread Starter 
Seems like im not getting the idea...
Mabey there is some great tutorial you know to prevent sql injection? I was going to make my website secure later and learn about it because im no where near finishing it.
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
post #7 of 10
Security is much easier to implement when you do it from the start. Trying to find and fix all of the holes after the fact is difficult, and in some cases might require you to rethink your design. The page linked to by xyexz is a starting point. I'll give you a few pointers on a couple of issues (not just security) as well. Consider this line:
Code:
mysql_query("UPDATE theme SET name = '$changetheme'");
  • Firstly, mysql_query is old and unsafe. You will want to Google around for how to use mysqli and/or PHP Data Objects (PDO). The latter is good because it doesn't depend on MySQL, but it also has a couple of default options gotchas that make it less safe than it could be.
  • If your site has multiple user accounts and is not just some personal project this query will change the theme for all users. You may wish to consider storing the selected theme in a way that it associates it with a particular user, and then you'll also need to include a WHERE clause to make the change only to the row that matches that user. Of course if you have no concept of users then this isn't important.
  • You are blindly assuming that the value in the query string is safe. A malicious user could append any random value for the theme name with an additional SQL query that will run right after yours, which might pull out sensitive data (if there is any), insert its own records or drop tables. The best protection against this is to first assume that any data used in a query is dangerous and untrustworthy, and secondly to use parameterised queries/prepared statements (see the link previously mentioned, but also Google it) to prevent damage caused by that untrustworthy data. Using prepared statements means that a theme name of "blahblah';DROP TABLE theme;--" will simply update the matching record(s) with that exact value, rather than executing the trailing statement. Of course this brings me to the next issue...
  • You are assuming that the theme name is valid. What if I pass in "bob's your uncle"? Is there a theme named that? smile.gif
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
post #8 of 10
Quote:
Originally Posted by Zvejniex View Post

Wouldnt the reload function put me i a loop? Or mysql wouldnt update if the data is matched the data it was going to post?
You are indeed correct. The correct script would be window.location.href = window.location.hash;
Although, assuming $site_url is correctly set, you should be fine using that.
Computer
(20 items)
 
 
Work Computer
(9 items)
 
CPUMotherboardGraphicsRAM
i5 2500k ASROCK Z68 extreme 3 Gigabyte GTX 670 Windforce 2GB + Massive OC 4x Corsair Vengeance 4GB (16GB) 
Hard DriveHard DriveOptical DriveCooling
Samsung 830 SSD Seagate Barracuda RAID0 LG Blu Ray Burner Cooler Master V6 
CoolingCoolingCoolingOS
3x Xigmatek 120mm Case fans Cooler Master 120mm Case fan NZXT Sentry Fan Controller Windows 8 Pro x64 
MonitorMonitorKeyboardPower
2x LG W2363D (3D) SURROUND Acer V233HL SURROUND Logitech unifying K320 Thermaltake Toughpower XT 875W 
CaseMouseAudioOther
Cooler Master Elite 430 Logitech Anywhere MX M905 Logitech 5.1 NVIDIA 3D Vision Wireless Glasses Kit 
CPUGraphicsRAMHard Drive
i5 - 3317U Intel HD 4000 4GB 128GB SSD 
OSMonitorMouse
Windows 7 Home Premium 1080p 13" Logitech M555b Bluetooth mouse 
CPUGraphicsRAMHard Drive
i7 - 2600 9800gt 8GB DDR3 1TB 
OSMonitorKeyboardMouse
Windows 7 Professional (64 bit) 3 x ASUS 23" Ducky DK9008G2PRO Mechanical Keyboard (Cherry M... Logitech M705 
Audio
Sennheiser PX200-II 
  hide details  
Reply
Computer
(20 items)
 
 
Work Computer
(9 items)
 
CPUMotherboardGraphicsRAM
i5 2500k ASROCK Z68 extreme 3 Gigabyte GTX 670 Windforce 2GB + Massive OC 4x Corsair Vengeance 4GB (16GB) 
Hard DriveHard DriveOptical DriveCooling
Samsung 830 SSD Seagate Barracuda RAID0 LG Blu Ray Burner Cooler Master V6 
CoolingCoolingCoolingOS
3x Xigmatek 120mm Case fans Cooler Master 120mm Case fan NZXT Sentry Fan Controller Windows 8 Pro x64 
MonitorMonitorKeyboardPower
2x LG W2363D (3D) SURROUND Acer V233HL SURROUND Logitech unifying K320 Thermaltake Toughpower XT 875W 
CaseMouseAudioOther
Cooler Master Elite 430 Logitech Anywhere MX M905 Logitech 5.1 NVIDIA 3D Vision Wireless Glasses Kit 
CPUGraphicsRAMHard Drive
i5 - 3317U Intel HD 4000 4GB 128GB SSD 
OSMonitorMouse
Windows 7 Home Premium 1080p 13" Logitech M555b Bluetooth mouse 
CPUGraphicsRAMHard Drive
i7 - 2600 9800gt 8GB DDR3 1TB 
OSMonitorKeyboardMouse
Windows 7 Professional (64 bit) 3 x ASUS 23" Ducky DK9008G2PRO Mechanical Keyboard (Cherry M... Logitech M705 
Audio
Sennheiser PX200-II 
  hide details  
Reply
post #9 of 10
Found this post on this site that references using PDO, for parametrizing your inputs on SQL queries:

http://www.overclock.net/t/1374215/is-mysql-real-escape-string-enough-to-prevent-sql-injection

the_dude had a great example that should get you on the right path.
AMD Rig
(12 items)
 
  
CPUMotherboardGraphicsGraphics
8320 FX Gigabyte 990FX-UD3 XFX R9 270X XFX R9 270X 
RAMHard DriveOptical DriveCooling
Crucial Ballistix Sport Kingston V300 Bluray Cooler Master Seidon 240M 
OSKeyboardPowerCase
Windows 7 x64 Ultimate CM QuickFire Corsair CX750M Corsair 540 Air 
  hide details  
Reply
AMD Rig
(12 items)
 
  
CPUMotherboardGraphicsGraphics
8320 FX Gigabyte 990FX-UD3 XFX R9 270X XFX R9 270X 
RAMHard DriveOptical DriveCooling
Crucial Ballistix Sport Kingston V300 Bluray Cooler Master Seidon 240M 
OSKeyboardPowerCase
Windows 7 x64 Ultimate CM QuickFire Corsair CX750M Corsair 540 Air 
  hide details  
Reply
post #10 of 10
Thread Starter 
Okay, soon im going to do all that stuff, but before i do, why dont you try hacking it..
http://cmz.is-best.net
And if you need a simple user acc then username:Test pass:qwerty
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
 
Old rig
(7 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core 4670k 4.6ghz @ 1.27v Gigabyte Z87-UD3H Nvidia MSI GTX 760 Sli - To be ordered Corsair Vengeance 8gb 1600mhz CL9 Single Channe... 
Hard DriveCoolingOSMonitor
1 TB WD 7200 RPM Hyper Evo 212 Push/Pull Win 8 Pro 64-bit Acer v223w 22 inches 
PowerCase
Corsair TX850 Cooler Master Gladiator 600 
CPUMotherboardGraphicsRAM
Intel E1400 945GCM-S2L Intel HD Junk Kingston 1gb 667mhz 
Hard DriveOSMonitor
Samsung 250gb Windows 7 Ultimate 64-bit HP w1907v 19 inches 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Web Coding
Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Web Coding › Whats wrong with this simple script?