[phpesp-dev] Possible SQL Injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I received the message below, but don't have time to do a thorough
investigation at the moment.  A quick look, seem like this is not a
problem.  Anyone with more time please take a look.

> File: phpESP/public/survey.php
> Lines:
> 
> 15  $_name = _addslashes($_GET['name']);
> 25  $_sql = "SELECT id,title,theme FROM
> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name";
> 
> Since the variable $_name is not embedded in quotes, the function
> addslashes will not prevent SQL injection attacks since the attacker
> does not
> need to use quotes.
> 
> PoC:
> survey.php?name=1 and 1=0 union select null, username, password from
> designer
> 
> Fix:
> 25  $_sql = "SELECT id,title,theme FROM
> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'";