yeah... you make a great point... i will take off mysql_error().
problem...no.... spinsykel isnt my username and password... im just using it now while i test it.
thanks for the comments
FIND MY SECURITY HOLE... I GIVE YOU A NICKEL
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Code: Select all
<?php
echo "$lastname, $username;
$found =1";
?>Code: Select all
<?php
echo "$lastname, $username";
$found =1;
?>its global variable is ON then you could simply
authenticate.php?found=1
and we would have access to your admin?
SQL Injection is not XSS
ronjon
XSS stands for Cross-Site-Scripting, but this is not what's going on here.
This is more about SQL Injection :
You should never trust user input ...
Looks like two things are wrong here. The database structure, and the
way the login is validated from user input.
Sql injection is possibilite with this query, just provide a password that
looks like this :
' OR '1'='1
and a username that looks like this :
administrator' OR '1'='1
and you get your sql query that looks like :
SELECT lastname FROM users WHERE password = '' OR '1'='1' AND firstname = 'administrator' OR '1'='1'
The query should return one or more entries, and get a valid login from
your code ...
It is a common error to check username and password in the same query when
performing a login check. One way to get this fixed is to use encryption.
Even if md5 is not unbreakable, it is for sure a 32 chars alphanumeric string,
which is better than a login name with strange chars ($'%"& ...).
That's why it will always be a better idea to compare md5 strings inside a
sql query made from user input than doing this with uncontrolled user input.
This way you do not have to check POST values for XSS as you do know, whatever
is inside will be encrypted and sanitized into a 32 chars alphanumeric string.
be well
tobozo
http://www.phpsecure.info/v2/.php?&l=us
XSS stands for Cross-Site-Scripting, but this is not what's going on here.
This is more about SQL Injection :
Code: Select all
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";Looks like two things are wrong here. The database structure, and the
way the login is validated from user input.
Sql injection is possibilite with this query, just provide a password that
looks like this :
' OR '1'='1
and a username that looks like this :
administrator' OR '1'='1
and you get your sql query that looks like :
SELECT lastname FROM users WHERE password = '' OR '1'='1' AND firstname = 'administrator' OR '1'='1'
The query should return one or more entries, and get a valid login from
your code ...
It is a common error to check username and password in the same query when
performing a login check. One way to get this fixed is to use encryption.
Even if md5 is not unbreakable, it is for sure a 32 chars alphanumeric string,
which is better than a login name with strange chars ($'%"& ...).
That's why it will always be a better idea to compare md5 strings inside a
sql query made from user input than doing this with uncontrolled user input.
Code: Select all
$md5_password = md5($password);
$md5_username = md5($username);
// add two fields in the database, md5_firstname CHAR(32) and md5_password
CHAR(32), remove 'password' field
$sql = "SELECT lastname FROM users WHERE md5_password = '$md5_password' AND md5_firstname = '$md5_username'";is inside will be encrypted and sanitized into a 32 chars alphanumeric string.
be well
tobozo
http://www.phpsecure.info/v2/.php?&l=us