Blind SQL Injection using acunetix

I’m using acunetix to test my website. The problem is with this script http://boedesign.com/blog/2007/02/18/ajax-star-rating/

acunetix doesn’t show any message, but when I test for blind SQL I can get values like

8 and 1=0 --
8 and 31337-31337=0

JavaScript
​x
 
8 and 1=0 --8 and 31337-31337=0​

in the rating_id mysql column, I want to only allow numbers in there, so I made a little fix but since the first number is 8 its passing trough the if. how can I fix it? It’s something like this at includes/rating_process.php

// IF JAVASCRIPT IS ENABLED
if($_POST){
$id = escape($_POST['id']);
$rating = (int) $_POST['rating'];
 
if($rating <= 5 && $rating >= 1 && $id >= 1 && $id <=9999999){
 
if(@mysql_fetch_assoc(mysql_query("SELECT id FROM ratings WHERE IP = '".$_SERVER['REMOTE_ADDR']."' AND rating_id = '$id'")) || isset($_COOKIE['has_voted_'.$id])){
  
echo 'already_voted';  
} else {

JavaScript
 
// IF JAVASCRIPT IS ENABLEDif($_POST){$id = escape($_POST['id']);$rating = (int) $_POST['rating']; if($rating <= 5 && $rating >= 1 && $id >= 1 && $id <=9999999){ if(@mysql_fetch_assoc(mysql_query("SELECT id FROM ratings WHERE IP = '".$_SERVER['REMOTE_ADDR']."' AND rating_id = '$id'")) || isset($_COOKIE['has_voted_'.$id])){  echo 'already_voted';  } else {​

and almost the same think at the “// IF JAVASCRIPT IS DISABLED”

Answer

If you know that the rating must be an integer, you can cast your variable as an integer :

$rating = (int) $_POST['rating'] ;

JavaScript
 
$rating = (int) $_POST['rating'] ;​

You can do as well on your id variable.

It ensures you that you only have integer values.

Advertisement

Answer