Home/ Questions/Q 9118357
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T05:08:07+00:00

hy friends I have a problem, I’ve created an script without pdo and is

  • 0

hy friends I have a problem, I’ve created an script without pdo and is sqli vulnerable, sql connection is pdo because is simple to do that but in this case situation is changed. Please help me, this is the code: 

<?php require ("../SQL.php");

#######De aici am setat creearea directoarelor pentru poze#####
$model          = "$_POST[model]";
$marca          = "$_POST[marca]";

 mkdir ("\\server\\htdocs\\panou\\poze\\{$marca}/{$model}", 0777, true);
$director_poza = ("poze/{$marca}/{$model}/");    
$numetmp_poza  = $_FILES['numepoza1']['name'];
$numepoza1     = $director_poza.$numetmp_poza;
$numetmp_poza  = $_FILES['numepoza2']['name'];
$numepoza2     = $director_poza.$numetmp_poza;
$numetmp_poza  = $_FILES['numepoza3']['name'];
$numepoza3     = $director_poza.$numetmp_poza;
if(move_uploaded_file($_FILES['numepoza1']['tmp_name'], $numepoza1))
if(move_uploaded_file($_FILES['numepoza2']['tmp_name'], $numepoza2))
if(move_uploaded_file($_FILES['numepoza3']['tmp_name'], $numepoza3))
{
list($width,$height,$type,$attr)= getimagesize($numepoza1);
switch($type)
{
case 1:
$ext = ".gif"; break;
case 2:
$ext = ".jpg"; break;
case 3:
$ext = ".png"; break;
default:
echo "Format foto neacceptat";
}

$insertie = "INSERT INTO modele 
(id, marca, model, utilizator, despre, data, data_luna, data_zi, img1, img2, img3,    doi_g, trei_g, patru_g, info_ecran, rezolutie_ecran, multitouch_ecran, protectie_ecran,  sunet_sonerii, sunet_mainilibere, sunet_mufa_jack, memorie_card, mcard_tip,  mcard_capacitate, intern_memorie, date_gprs, date_edge, date_viteze, date_wifi, date_bt,  date_nfc, date_usb, camera_spate, camera_fata, camera_tehnologii, camera_video, performanta_os, performanta_chipset, performanta_cpu, performanta_cpu_core, performanta_cpu_tip, performanta_rami, performanta_gpu, performanta_senzori, performanta_gps, performanta_java, altele_radio, altele_mesajerie, altele_filme, baterie_autonomie, baterie_mAh, baterie_convorbire, SEO_cuvinte_cheie)
VALUES
('',
'$_POST[marca]',
'$_POST[model]',
'$utilizator',
'$_POST[despre]',
'$_POST[data]',
'$_POST[data_luna]',
'$_POST[data_zi]',
'$numepoza1',
'$numepoza2',
'$numepoza3',
'$_POST[doi_g]',
'$_POST[trei_g]',
'$_POST[patru_g]',
'$_POST[info_ecran]',
'$_POST[rezolutie_ecran]',
'$_POST[multitouch_ecran]',
'$_POST[protectie_ecran]',
'$_POST[sunet_sonerii]',
'$_POST[sunet_mainilibere]',
'$_POST[sunet_mufa_jack]',
'$_POST[memorie_card]',
'$_POST[mcard_tip]',
'$_POST[mcard_capacitate]',
'$_POST[intern_memorie]',
'$_POST[date_gprs]',
'$_POST[date_edge]',
'$_POST[date_viteze]',
'$_POST[date_wifi]',
'$_POST[date_bt]',
'$_POST[date_nfc]',
'$_POST[date_usb]',
'$_POST[camera_spate]',
'$_POST[camera_fata]',
'$_POST[camera_tehnologii]',
'$_POST[camera_video]',
'$_POST[performanta_os]',
'$_POST[performanta_chipset]',
'$_POST[performanta_cpu]',
'$_POST[performanta_cpu_core]',
'$_POST[performanta_cpu_tip]',
'$_POST[performanta_rami]',
'$_POST[performanta_gpu]',
'$_POST[performanta_senzori]',
'$_POST[performanta_gps]',
'$_POST[performanta_java]',
'$_POST[altele_radio]',
'$_POST[altele_mesajerie]',
'$_POST[altele_filme]',
'$_POST[baterie_autonomie]',
'$_POST[baterie_mAh]',
'$_POST[baterie_convorbire]',
'$_POST[SEO_cuvinte_cheie]')"; 
$insertieresults = mysql_query($insertie) or die(mysql_error());
}
echo '<center>Succesuful!</center>
<meta http-equiv="refresh" content="5; URL=adauga-tableta-tel.php"/>'; 
?>

I know that this is cleary vulnerable to hack-injects, thankyou in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    SO isn’t going to re-write your code for you. Look into using PDO and try it yourself first. This post also seems relevant. If you have issues while you’re writing is, come back and post your code. Then we can help.

    • 0