ronjon
XSS stands for Cross-Site-Scripting, but this is not what's going on here.
This is more about SQL Injection :
Code: Select all
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
You should never trust user input ...
Looks like two things are wrong here. The database structure, and the
way the login is validated from user input.
Sql injection is possibilite with this query, just provide a password that
looks like this :
' OR '1'='1
and a username that looks like this :
administrator' OR '1'='1
and you get your sql query that looks like :
SELECT lastname FROM users WHERE password = '' OR '1'='1' AND firstname = 'administrator' OR '1'='1'
The query should return one or more entries, and get a valid login from
your code ...
It is a common error to check username and password in the same query when
performing a login check. One way to get this fixed is to use encryption.
Even if md5 is not unbreakable, it is for sure a 32 chars alphanumeric string,
which is better than a login name with strange chars ($'%"& ...).
That's why it will always be a better idea to compare md5 strings inside a
sql query made from user input than doing this with uncontrolled user input.
Code: Select all
$md5_password = md5($password);
$md5_username = md5($username);
// add two fields in the database, md5_firstname CHAR(32) and md5_password
CHAR(32), remove 'password' field
$sql = "SELECT lastname FROM users WHERE md5_password = '$md5_password' AND md5_firstname = '$md5_username'";
This way you do not have to check POST values for XSS as you do know, whatever
is inside will be encrypted and sanitized into a 32 chars alphanumeric string.
be well
tobozo
http://www.phpsecure.info/v2/.php?&l=us