Home/ Questions/Q 6373667
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T01:23:27+00:00

So I have a C++ application that takes a value from a key in

  • 0

So I have a C++ application that takes a value from a key in a settings.INI file, uses libcurl to reach out to a PHP page, post that data, and it should return some different data.

And it actually works, aside from grabbing the data from the INI file. If I explicitely type in for the POSTFIELDS option for libcurl (e.i.: “Serial=454534” , instead of the variable storing the data that it retrived from my file).

Here’s some code..
PHP:

<?
include("DBHeader.inc.php");
$Serial= $_POST['Serial'];

$sql = "SELECT * FROM `LockCodes` WHERE `sLockCode`=\"$Serial\"";
$RS=mysql_query($sql, $SQLConn);
$num_rows=mysql_num_rows($RS);

if ($num_rows>0)
{
      while ($row = mysql_fetch_array($RS))
  {
       echo $row['iLockCodeID'];
  }
}
else
{
  echo "...";
}


?>

Snippet of C++ code:

TCHAR szKeyValue[36];
GetPrivateProfileString(_T("Test"), _T("LockCode"), _T(""), szKeyValue, 36, _T("C:\\Test\\Settings.INI"));

CString sLockCode = szKeyValue;
CURL *curl;
CURLcode res;
CString Serial = _T("Serial=") + sLockCode;
string LCID;

curl_global_init(CURL_GLOBAL_ALL);

curl = curl_easy_init();
if (curl)
{
    curl_easy_setopt(curl, CURLOPT_URL, "http://regserver2.nyksys.com/GetLCID.php");
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, Serial);
    res = curl_easy_perform(curl);
    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &writeCallback);
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
    res = curl_easy_perform(curl);

    if (data == _T("..."))
    {
        data = "0";
        AfxMessageBox("Invalid Serial Number");
        exit(0);
    }

My Settings.INI is in the standard format..

[Test]
LockCode=1D4553C7E7228E462DBAAE267977B7CDED8A

What happens is whenever I use the variable “Serial” instead of typing it in, the PHP page returns “…” instead of the desired result.

I feel like I’m missing something obvious. Any help would be TREMENDOUSLY appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am guessing that you have _UNICODE defined, which means that TCHAR is wchar_t, CString is CStringT<wchar_t>, and the code:

    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, Serial);

    actually passes a wide char string to curl_easy_setopt() when the function is expecting a narrow char string. If your machine is little Endian, then curl_easy_setopt() interprets the parameter as the string "S\x00e\x00r\x00i\x00... (on a Big Endian machine, it’s "\x00S\x00e\x00r\x00i...) and because curl_easy_setopt() will use strlen() when CURLOPT_POSTFIELDSIZE is not set, the entire POST request body on a little Endian machine is S. See, for example, http://codepad.org/JE2MYZfU

    What you need to do is use narrow char strings:

    #define ARRAY_LEN(arr_id) ((sizeof (arr_id))/(sizeof ((arr_id)[0])))

char szKeyValue[36];
GetPrivateProfileStringA("Test", "LockCode", "", szKeyValue, ARRAY_LEN(szKeyValue), "C:\\Test\\Settings.INI");

CURL *curl;
CURLcode res;
CStringT<char> Body = CStringT<char>("Serial=") + szKeyValue;
string LCID;

curl_global_init(CURL_GLOBAL_ALL);

curl = curl_easy_init();
if (curl)
{
    curl_easy_setopt(curl, CURLOPT_URL, "http://regserver2.nyksys.com/GetLCID.php");
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, Body);
    res = curl_easy_perform(curl);
    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &writeCallback);
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
    res = curl_easy_perform(curl);
//...

    Also, your PHP script looks vulnerable to SQL injection.

    EDIT: One more thing. Are you setting CURLOPT_POST to 1?

        curl_easy_setopt(curl, CURLOPT_POST, 1);
    • 0