Error in page with Chrome but not with Firefox or IE

[eluser]vincej[/eluser]
This one is weird - I get the following error with Chrome 35, but not with IE 11 or Firefox 29:

Fatal error: Call to a member function num_rows() on a non-object in /home/countr70/public_html/application/models/mcustomer.php on line 433

I know what the error means. It means that the query has not found any rows.

It refers to this code:

Code:

function GetCustomerPickupLocation($tel_customerid) {
     $sql ="
  select `location`,`id`,`locationid`
  from locations,customer
  where `locationid` = customer.deliveryid
  and customer.id = $tel_customerid;";
  $Q = $this->db->query($sql);
  if ($Q->num_rows() > 0){                       // line 433
        $row = $Q->row();
     return $row->location;
   }
     }

When I check the $tel_customerid with die() I get a bizaar value:

percent three C ( Sorry this site refuses to allow me to enter it lterally )

which of course causes the query to fail. I do not know what or wher this value comes from. It should be a url segment value.

If it is relevant, I recently upgraded to 2.2. Also I recently added SSL to the site.

My question is why would it give an error in Chrome but not in IE and Firefox.

Mnay thanks !

[eluser]CroNiX[/eluser]
That error message does not mean it didn't find any rows. "on a non-object" means that $Q is not a db object, so num_rows() method doesn't exist for it.

Not sure why you're getting the error, but I'd advise you to escape your variable, or just use active record so it does it for you. I'd start with wherever you are calling that method from.

percent 3C is an encoded < (less than) symbol

[eluser]vincej[/eluser]
Thanks for that.

I don't understand why num_rows() would fail on Chrome but not on FF or IE.

Surely it would fail for all three ?

A little Googling has revealed that percent 3C is sometimes used in xss hacks. My site was hacked last week.

Looking into the CI error logs I see all kinds of 404 Page Not Found --&gt; welcome/percent 3C

I will follow your advice and use AR for the query, but it remains a mystery to me that Chrome fails and the other two do not - I can not help but think that this has something to do with some residual malware in the system which FF and IE is filtering - possible ????

Thanks

[eluser]CroNiX[/eluser]
I can't really answer why it doesn't work in chrome. There are way to many variables to consider that we aren't privy to and most likely the problem is elsewhere in your code and not in the one function you are showing. Your DB data can be tainted as well since the site was recently hacked. I would't trust the db data until you verify it is totally free of bad data, which could be obscured (like percent 3c).

It won't do much good just to fix the one above query. You need to fix ALL of them sitewide. Your site is wide open to hacking because it doesn't look like you did much in terms of security.

ALL user data should be considered tainted from the get-go. That is anything coming from the url, like a segment, using form validation for all form fields to ensure the data is in the correct format, escaping all user input/variables being used in db queries, either manually or using active record, etc.

If you don't, you can expect this to happen again. The people who hacked your site already know it's vulnerable and might be still hacking it, or return to hack it again at a later date, or put the URL in a hacking forum for others to try to mess with.

Personally I'd take the site totally offline until you know it's secure and the existing data is not tainted.

[eluser]vincej[/eluser]
Thanks for that.

You are right, I had not done previously done enough to secure the site. I scanned the DB as too has my isp and it appears to be clean. I have added SSL, a 2 sec delay on login and strengthened the pw's. I have also tested the site for CSRF weakness with some tools from Security Compass and it came out clean. 90% of the queries are using AR. I'll update the ones who are not.

I was relying on CI for XSS and CSRF. Is that secure enough ? I have read that CI's xss_clean is not very effective.

CI's CSRF is giving me major problems with the ubiquitous "an error was detected the action you have requested is not allowed." on a page where I have some AJAX, so I have had to turn it off until I can find a fix. Any ideas on that ?

Thanks !

[eluser]CroNiX[/eluser]
For ajax, most likely you aren't sending the CSRF token along with your other fields in your ajax data, so it rejects them since the token isn't present. google "codeigniter ajax csrf" to find some solutions.

[eluser]treenef[/eluser]
It works in ff but not chrome... sorry but sounds way off parr. Go to several other machines that are clean and PROVE this.

I'd wager you will find this to be proven false. Second if you using xss to filter attacks that STILL leaves you subject to sql attacks which is entirely different.

You should be using active record or prepared for ALL sql statements.

[eluser]vincej[/eluser]
I have established that the problem I am having has nothing to do with the sql query nor any corruption in the DB, although for sure I will change it out for an AR query.

It has to do with the variable $tel_customerid which is being passed to the query. This variable is being created through a session :

Code:

if (empty($tel_customerid)) {
            $tel_customerid = $this->session->userdata('tel_customerid');

When I do var_dump immediately after this statement, IE11 and FF I get:

Code:

string(3) "229"  line:108

when I do a dump using Chrome I get:

Code:

string(3) "percent 3C" pos l.108

So, it feels to me that something is getting messed up in the session .. but I can not fathom why it would work in some browsers but not others ... unless the browsers have some kind of filtering in them, which Google tells me they do .

Lastly I have recently upgraded to 2.2 and have added SSL .. I have yet to figure out if these would impact the sessions.

Many Thanks !

[eluser]treenef[/eluser]
Why does your session contain 'percent c' 'less than' symbol in the first place? How is it being created?

What is the code for this: $this->session->userdata('tel_customerid');

[eluser]vincej[/eluser]
Well - Looks like I might have solved it. It took hours to track it down, but like so many things in development, once found it took 1 minute to fix it. Essentially my sessions were not being correctly set in the controller. This particular function gets used for multiple purposes and hence the sessions need to be set and unset depending on what is calling the function.

One user_set CI session was essentially providing an empty session data to the $tel_customerid which I presume IE and FF can deal with but Chrome can not. So Chrome was, I presume, filling in the variable with percent 3C and thus causing the query to fail resulting in a php error on the page in Chrome, but mysteriously not in FF or IE .... no I don't get it either.


All I did was put in a simple if(empty(do this )) and it looks like it is fixed.

I wasted a whole bunch of time fixing this which I can not get back .. but I guess learned something.

Thanks for your help !