Sign in or Register

Already a member?

Sign in

Or sign in with your account on:

Not a member yet?

Register
  • Helping entrepreneurs grow and delight their customers.

    We believe entrepreneurs can change the world—that's why we've created powerful and affordable enterprise level applications that help you get the most out of your online business, without ever having to worry about the technology.

    Thousands of companies of all sizes use our Email Marketing, Customer Solution, and E-Commerce applications to work faster and smarter.

    joobi-signature

Joobi News

This is where we announce new releases, tutorials, tips and tricks and share what we're working on.

r.php and ws.php files, SQL Injection or Not?

Some people have reported a SQL injection vulnerability for jLinks r.php and ws.php file.

<?php $_REQUEST["option"]="com_jlinks";$_REQUEST["controller"]="redirect";$_REQUEST["link"]=$_REQUEST["l"];include("index.php");

We want to inform everyone that this is NOT a SQL injection, and here is why?

First all this file does is do a soft redirect with a shorter URL.
Anyone with some PHP knowledge will realize that:
This is a hard coded string, not variable here so no injection: $_REQUEST["option"]="com_jlinks";
This is a hard coded string, not variable here so no injection: $_REQUEST["controller"]="redirect";
This $_REQUEST["link"]=$_REQUEST["l"], simply takes the value of one $_REQUEST and put it into another one, again for simplicity of URL.
All variables ( option, controller, redirect) ARE filtered afterward when read and used.

The reason why a crawler or other people might say that it is a SQL injection, is because they read the PHP variable $_REQUEST and immediately conclude it must be SQL injection.

If you are still in doubt please ask a knowledgeable PHP developer to get a second confirmation.

Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Thursday, 31 July 2014

Stay in touch

Enter your name and email address below to receive latest news, special offers and discount coupons!



Joomla Extensions powered by Joobi

Stay in touch (copy)




We
Joomla Extensions powered by Joobi

Things people say about us

  • We needed a cutting edge multi-vendor solution to drive our marketplace and work seamlessly with jomsocial. We tried many options but jmarket pro was by far the best we've found. So good in fact that we ended up buying the fully integrated package.

    Paul—Founder/CEO

  • The experience with Joobi has been phenomenal. Their applications saved me countless hours of editing and configuration and the tech support was within minutes of assisting me with the application! Unbelievably Reliable and Always Recommended A+

    Hao Ly—Chief Operations Officer

  • http://www.ndigallery.com
  • http://magnoliamiracle.com