Skip to content

Corrections on the edit-post.php file #1

Description

@theredhatarmy

Your PHP code contains multiple vulnerabilities, and the most critical among them is an SQL Injection vulnerability. Here's a breakdown of the issues and how to fix them:

1. SQL Injection Vulnerability

Vulnerable Code:

$post_id = $_GET['id'];
$query = "SELECT * FROM blog_posts WHERE id = '$post_id'";
$result = mysqli_query($con,$query);

Why It’s Dangerous:

This code directly inserts user input ($_GET['id']) into the SQL query without sanitization or prepared statements. An attacker could craft a malicious URL like:

edit-post.php?id=1' OR '1'='1

Which would result in:

SELECT * FROM blog_posts WHERE id = '1' OR '1'='1'

And potentially dump all posts or allow further exploitation.

✅ Fix:

Use prepared statements to sanitize user input:

if (isset($_GET['id'])) {
    $post_id = $_GET['id'];
    $stmt = $con->prepare("SELECT * FROM blog_posts WHERE id = ?");
    $stmt->bind_param("i", $post_id);
    $stmt->execute();
    $result = $stmt->get_result();

2. Cross-Site Scripting (XSS)

Vulnerable Code:

<input type="text" value="<?php echo $postTitle; ?>" name="postTitle" ...>

You're directly outputting user-generated content into HTML without escaping it.

✅ Fix:

Use htmlspecialchars() when echoing user input:

<input type="text" value="<?php echo htmlspecialchars($postTitle); ?>" name="postTitle" ...>

Do this for all echoed variables coming from the database: $description, $content, $catinfo.

3. Lack of CSRF Protection

You're performing a sensitive action (Update Post) without validating a CSRF token. An attacker could trick a logged-in user into submitting a malicious post update.

✅ Fix:

  • Generate a CSRF token in the session.
  • Embed it as a hidden field in the form.
  • Validate it on form submission.

4. Error Information Disclosure

In this part:

echo '<div class="text-center alert bg-danger ...">Error, post info retrive failed, try again</span></div>';

It’s not critical now, but in a production environment, avoid displaying detailed error messages that might help an attacker infer internal logic.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions