SQL error on registration:

Failed to execute SQL: INSERT INTO `users` (`FirstName`,`LastName`,`charity`,`username`,`password`,`email`,`Gender`,`relationshipstatus`,`BirthDate`,`Bio`,`Sport`,`FavoriteTeam`,`Photo`,`photo_ext`,`photo_size`,`interests`,`height`,`T-ShirtSize`,`skilllevel`,`school`,`job`,`freeagent`,`freeagentsport`,`HomePhone`,`CellPhone`,`Address`,`City`,`State`,`ZipCode`,`automatic`,) VALUES ('testing','testing','testing','testing','testing','testing@yahoo.com','Male','Private','87-07-14','test676786786786786876786786 7676786876786ghjg hghjghjgjhghjgjhghjgjhgjhghjghjghjg','Flag Football,Dodgeball,Volleyball,Basketball,soccer,Softball,Kickball,Indoor Soccer','gfghfhgf',NULL,'',0,'Music,Movies,Sports,TV,Clubbing,Books,Outdoors,Social Events','77','Men Small','Competitive',NULL,NULL,NULL,NULL,'7678667678676',NULL,'676786786786876','5675765765','Missouri','63043','No', Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES ('testing','testing','testing','testing','testing','testing@yahoo.com',' at line 1


Full Path Disclosure:


Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 18 in /home2/happyho8/public_html/inc/functions.php on line 152


Full Path Disclosure:


Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 28 in /home2/happyho8/public_html/inc/functions.php on line 214

No color Yet


When you enter an event that doesn't exist you get redirected to http://happyhoursports.com/Eventslist.php which doesn't exist.



When you enter a sponsor that doesn't exist you get redirected to http://happyhoursports.com/Sponsorlist.php which doesn't exist.



When you vote you get a SQL error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1


Failures: 30




Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'


Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' OR '1'='1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' AND non_existant_table = '1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: ' OR username IS NOT NULL OR username = '

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: '; DESC users; --

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 AND USER_NAME() = 'dbo'

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1'1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); --

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 EXEC XP_

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1'1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' OR '1'='1











Cross Site Scripting(XSS):



Cross Site Scripting(XSS):



SQL Error:


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND result.id = polls.id' at line 1


When you vote you get a SQL error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Darkfreaks: I thought I did but I am going to make sure and make changes where needed.

any suggestions for the login.php?? just sanitized??


Coreye: suggestions to solve the XSS and I will take a look at sql error.



Sanitize all user input.


Cross Site Scripting(XSS):

You can submit ">code when adding new free agents and it executes on the free agents page.


Sorry for not replying earlier...


Coreye: can you try to test the free agent form again and let me know if the

same problems still persist?


Darkfreaks: Any functions that you have or found online that will help me with the forms?

I have found several functions that sanitize forms, I have applied two functions to the free agents and the login forms but you say that they are still not protected.


Thanks in advance.

