FIND MY SECURITY HOLE... I GIVE YOU A NICKEL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

redmonkey

Post by ronjon »

yeah... you make a great point... i will take off mysql_error().

problem...no.... spinsykel isnt my username and password... im just using it now while i test it.

thanks for the comments
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

ahhh

Post by fresh »

and he got the job??? ;) jk man, gd lk, needs lots of work, keep trying and take there advice :)


p.s. yeah edit out sensitive info before posting next time ;)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Code: Select all

<?php
echo "$lastname, $username; 
$found =1"; 
?>
should be

Code: Select all

<?php
echo "$lastname, $username";
$found =1;
?>
and you should not have a variable that checks to see if it's found or not like $found = 1 like you have..

its global variable is ON then you could simply

authenticate.php?found=1

and we would have access to your admin?
User avatar
tobozo
Forum Newbie
Posts: 2
Joined: Tue Aug 03, 2004 12:18 pm
Contact:

SQL Injection is not XSS

Post by tobozo »

ronjon

XSS stands for Cross-Site-Scripting, but this is not what's going on here.
This is more about SQL Injection :

Code: Select all

$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
You should never trust user input ...

Looks like two things are wrong here. The database structure, and the
way the login is validated from user input.
Sql injection is possibilite with this query, just provide a password that
looks like this :
' OR '1'='1
and a username that looks like this :
administrator' OR '1'='1
and you get your sql query that looks like :
SELECT lastname FROM users WHERE password = '' OR '1'='1' AND firstname = 'administrator' OR '1'='1'

The query should return one or more entries, and get a valid login from
your code ...

It is a common error to check username and password in the same query when
performing a login check. One way to get this fixed is to use encryption.

Even if md5 is not unbreakable, it is for sure a 32 chars alphanumeric string,
which is better than a login name with strange chars ($'%"& ...).
That's why it will always be a better idea to compare md5 strings inside a
sql query made from user input than doing this with uncontrolled user input.

Code: Select all

$md5_password = md5($password);
$md5_username = md5($username);

// add two fields in the database, md5_firstname CHAR(32) and md5_password 
CHAR(32), remove 'password' field

$sql = "SELECT lastname FROM users WHERE md5_password = '$md5_password' AND md5_firstname = '$md5_username'";
This way you do not have to check POST values for XSS as you do know, whatever
is inside will be encrypted and sanitized into a 32 chars alphanumeric string.

be well
tobozo
http://www.phpsecure.info/v2/.php?&l=us
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

feyd wrote:I seriously don't appreciate the capslock usage in your posts ronjon.
lol
Post Reply