How to resolve error message generated by the GetSQLValueString function

1

I'm using the GetSQLValueString function of dreamweaver to validate some variables and everything works fine, but running a test with the Acunetix Web Vulnerability Scanner 9.5 program I came across an error message provided by it, accusing a possible breach of security. The url generated by the program and the message is this:

  

link

     

PHP Warning: mysql_real_escape_string () expects parameter 1 to be   string, array given in E: \ home \ topdeia \ Web \ n-chipi \ cities.ajax.php on   line 22

The function is this:

    if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);     

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
} 

The question is, do you have to get around this error?

    
asked by anonymous 17.04.2017 / 20:34

1 answer

2

WARNING: The mysql_* functions should not be used.

The problem is that the function expects a scalar value, but an array was passed as an argument, the hint is the query string ( &uf[]=27 ).

First you need to decide if an array is going to abort the process and return an error message to the user or get the first element of the array and use?

For the second case as only one uf should be sent at a time you can use the reset() function to set the array pointer in the first position and get its value.

$theValue = is_array($theValue) ? reset($theValue) :  $theValue; //linha adicionada

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);     
    
17.04.2017 / 21:08