[Sticky] SQL Injection vulnerability in eFiction

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:

$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);

May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

UPDATE: zip-archive attached with the modified files.

Updated package is postponed, also, until this fix has become somewhat stable.

Sheep, I think you are great to tackle this problem but I'm confused... is there an attachment on your post or not? I see a paperclip on the header like there is an attachment but I could find no link. I will attempt to manually alter my files, but if I do, will I screw something up? Seems like there are some unpredictable results.

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:

$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);

May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Hey I'm ready to beta test v5 whenever you are ready.  :agree:

I'm getting a bunch of reports from authors stating that "rn" is being added to each line since I applied the hotfix.  Here's an example:

http://www.adastrafanfic.com/viewstory.php?sid=2061&chapter=37

No matter what I do on the HTML editor side, I cannot remove those characters.  They persist over and over.

-- jb

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind.  I found it and edited it out.

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Hey I'm ready to beta test v5 whenever you are ready.  :agree:

I'd also be up for doing any beta testing when you are ready. 

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind.  I found it and edited it out.

So it'd good now?

It seems to be.  Once I backed out the config.php changes, all of the weird extra characters disappeared when I did the hand-edits to the HTML input editor.

-- jb

I am very willing too to help with beta testing, anything you need

Changes haven been included in the latest release, 3.5.5
Topic locked.