Simple, smart and secure.

We have created extraordinary tools for Joomla that other people just like us would love to use.

r.php and ws.php files, SQL Injection or Not?

Some people have reported a SQL injection vulnerability for jLinks r.php and ws.php file.

<?php $_REQUEST["option"]="com_jlinks";$_REQUEST["controller"]="redirect";$_REQUEST["link"]=$_REQUEST["l"];include("index.php");

We want to inform everyone that this is NOT a SQL injection, and here is why?

First all this file does is do a soft redirect with a shorter URL.
Anyone with some PHP knowledge will realize that:
This is a hard coded string, not variable here so no injection: $_REQUEST["option"]="com_jlinks";
This is a hard coded string, not variable here so no injection: $_REQUEST["controller"]="redirect";
This $_REQUEST["link"]=$_REQUEST["l"], simply takes the value of one $_REQUEST and put it into another one, again for simplicity of URL.
All variables ( option, controller, redirect) ARE filtered afterward when read and used.

The reason why a crawler or other people might say that it is a SQL injection, is because they read the PHP variable $_REQUEST and immediately conclude it must be SQL injection.

If you are still in doubt please ask a knowledgeable PHP developer to get a second confirmation.

Cheryl is responsible for customer happiness, strategic planning, and management of Joobi's branding strategy through inbound marketing, search engine optimization, and social media. You can find her on Google+, Twitter and LinkedIn.

blog comments powered by Disqus