need help on sql injection attack
Checking my web site with google webmaster tools I found a strange thing :
somebody tried to use to link to my site using this (I change the real
name of my site for obvious security reasons ) :
....://mysite.com/tarifs.php?annee=aaatoseihmt&mois=10&cours=1828
I try it and understand it was a sql injection with the results :
Warning: mktime() expects parameter 6 to be long, string given in
/home/cogerino/public_html/stagephotoparisien/sba_stages_photo_tarifs.php
on line 72
my code line 72 is :
mktime (0, 0, 0, $mois, "01", $annee)
part of this:
<?php
include ("include.php");
if (!$link = mysql_connect($host, $user, $pass)) {
echo "Could not connect to mysql";
exit;
}
if (!mysql_select_db($bdd, $link)) {
echo "Could not select database";
exit;
}
mysql_query("SET NAMES 'utf8'");
$annee = "";
$mois = "";
$stage = "";
if (isset($_GET['annee'])) {$annee=$_GET['annee'];}
if (isset($_GET['mois'])) {$mois=$_GET['mois'];}
if (isset($_GET['stage'])) {$stage=$_GET['stage'];}
if($annee == "")
{
$annee = date("Y");
}
if($mois == "")
{
$mois = date("m");
}
$date_du_jour = date("d")."-".date("m")."-".date("Y");
if($mois == "12")
{
$mois_precedent = "11";
$mois_suivant = "01";
$annee_mois_precedent = $annee;
$annee_mois_suivant = $annee + 1;
}
elseif($mois == "01")
{
$mois_precedent = "12";
$mois_suivant = "02";
$annee_mois_precedent = $annee - 1;
$annee_mois_suivant = $annee;
}
else
{
$mois_precedent = sprintf("%02s", $mois-1);
$mois_suivant = sprintf("%02s", $mois+1);
$annee_mois_precedent = $annee;
$annee_mois_suivant = $annee;
}
$jour_en_cours = date("d");
$mois_francais = array("Janvier", "Février", "Mars", "Avril", "Mai",
"Juin", "Juillet", "Août", "Septembre", "Octobre", "Novembre",
"Décembre");
$dt_deb_genere = $annee."-".$mois."-01";
$dt_fin_genere = $annee_mois_suivant."-".$mois_suivant."-01";
$dt_date = mktime (0, 0, 0, $mois, "01", $annee);
$jour_de_la_semaine = date("w", $dt_date);
?>
what can I do to protect my site against this ?
I tried to understand how to it with "similar question" but I think I am
to new to php and mysql to be able to understand.So any help is really
great !
Thanks if you can help on this ! I worked hard for months now on my site
and don't want to lose my business.
.blc.
No comments:
Post a Comment