0

When People are trying to insert an sql inection, that time mysql errors displays the table name with the column names, how can I turn off this, My site is built in MVC framework,

and this is how developers have queried the database,

$offset=0;
		if(isset( $_GET['offset']))
			$offset=$_GET['offset'];
		$array_list=$DB->q("select *,users.user_list_id from users  left join list_api on users.user_list_id=list_api.api_id  $like  order by    `user_id`  DESC limit  $offset,". $PerPage	);
		$view="views/a_list_users.html";

and I cant put @ to disable query, how do i handle this?

2
Contributors
8
Replies
10
Views
5 Years
Discussion Span
Last Post by sammry
0

You will have to modify your framework configuration or code. MySQL does not send any error messages to the web server if not explicitly requested. Look in the framework code for the function calls mysql_errno() or mysql_error() which will most probably lead you to the place which you will have to modify.

0

5 minutes ago I did not know that celeroo existed. Then I downloaded it and found

$result = mysql_query( $sql ) or die($sql.": ".mysql_error())

in celerooframe\inc\mysql_wrapper.php This is the line you will have to change to suit your needs.

0

Thanks for your efforts and appreciate your help, added @ but still the error statement displayed, anything specific i need to add

0

You obviously do not understand the code nor what you are doing.
@ suppresses PHP error messages.
The cited line displays MySQL error messages via PHP. Since no PHP error occurs, nothing get suppressed.
If you don't want to see any errors, delete the OR clause:

$result = mysql_query( $sql );

You won't see any SQL errors then, of course. Therefore in my projects I often add a conditional error display, depending on the login status or the client's IP.

Edited by smantscheff: n/a

0

No I wanted to delete but was going through few other threads and sites, everywhere they had mentioned @ suppress, and I am not shy to accept it, yes, I did not know that i could delete it. Am a big learner and sincerely thank you for helping me out.

0

Make sure that you have better instruments in place against SQL injection than just hiding column names. Security by obscurity does not work here.

0

celeroo does that, but when I try with sql injections, it displays the table name with sql error, that was the reason, i wanted to hide the table and column names, thanks again for your support.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.