problem with mysql_real_escape_string()

  • Resolved textliving

    (@textliving)


    10 years, 1 month ago

    I was looking at my PHP error log today and I see it filled with the following 2 errors:

    PHP Warning: mysql_real_escape_string(): No connection could be made because the target machine actively refused it. in \MyWordPressFolder\wp-content\plugins\seo-redirection\common\util.php on line 61

    PHP Warning: mysql_real_escape_string(): A link to the server could not be established in \MyWordPressFolder\wp-content\plugins\seo-redirection\common\util.php on line 61

    So I took a look at like 61 and it is in the get_ref function where it is returning the clean HTTP referer URL using the mysql_real_escape_string. So is there a different function that can do the same without throwing out these connection errors? I read something about using mysqli_real_escape_string().

    My PHP is a little rusty, I do mostly .NET stuff but it seems like the function is just needing to clean the URL to make sure it is safe to insert into a SQL command. Is there a reason that this simple function is trying to make a database connection? Is there a simple fix for this? Could it be that most people are running a local instance of MySQL and I am running MySQL on a separate dedicated server?

    It seems to be logging these two errors every time a redirect is logged so my error log file is getting pretty large.

    https://www.ads-software.com/plugins/seo-redirection/

Viewing 3 replies - 1 through 3 (of 3 total)
  • dz0ny

    (@dz0ny)

    @textliving FYI, you’ve just stumbled on SQL Injection bug. The problem is when stack uses mysqli and connections is established. If perpetrator controls referrer header he can do whatever he or she want’s with db.

    Hello,

    This does not appear to leave the plugin open to SQL injection as when this particular function fails it returns false but it does generate a PHP warning. I am facing the same errors in my log as the OP.

    The bug is that it is using mysql_real_escape_string without referencing an open connection and therefore this fails because your database needs a password to establish a new connection and thus the database cannot escape the string for you.

    There are three instances of this in common/util.php and I believe the WordPress function esc_sql can be dropped in as an appropriate working replacement for whatever escaping activity is going on here. I haven’t digged deep enough to see whether this referrer hits the database or whether this escaping is done out of an abundance of caution.

    Thanks,

    Scott

    Hello,

    I also hope the developer can roll in a similar fix to the next update as it would be inconvenient to replace this manually following every update.

    Thanks

    Scott

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘problem with mysql_real_escape_string()’ is closed to new replies.

Tags