Page 2 of 2

redmonkey

Posted: Sat Jul 10, 2004 12:59 pm
by ronjon
yeah... you make a great point... i will take off mysql_error().

problem...no.... spinsykel isnt my username and password... im just using it now while i test it.

thanks for the comments

ahhh

Posted: Sat Jul 10, 2004 3:57 pm
by fresh
and he got the job??? ;) jk man, gd lk, needs lots of work, keep trying and take there advice :)


p.s. yeah edit out sensitive info before posting next time ;)

Posted: Sun Jul 11, 2004 3:25 am
by John Cartwright

Code: Select all

<?php
echo "$lastname, $username; 
$found =1"; 
?>
should be

Code: Select all

<?php
echo "$lastname, $username";
$found =1;
?>
and you should not have a variable that checks to see if it's found or not like $found = 1 like you have..

its global variable is ON then you could simply

authenticate.php?found=1

and we would have access to your admin?

SQL Injection is not XSS

Posted: Tue Aug 03, 2004 12:18 pm
by tobozo
ronjon

XSS stands for Cross-Site-Scripting, but this is not what's going on here.
This is more about SQL Injection :

Code: Select all

$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
You should never trust user input ...

Looks like two things are wrong here. The database structure, and the
way the login is validated from user input.
Sql injection is possibilite with this query, just provide a password that
looks like this :
' OR '1'='1
and a username that looks like this :
administrator' OR '1'='1
and you get your sql query that looks like :
SELECT lastname FROM users WHERE password = '' OR '1'='1' AND firstname = 'administrator' OR '1'='1'

The query should return one or more entries, and get a valid login from
your code ...

It is a common error to check username and password in the same query when
performing a login check. One way to get this fixed is to use encryption.

Even if md5 is not unbreakable, it is for sure a 32 chars alphanumeric string,
which is better than a login name with strange chars ($'%"& ...).
That's why it will always be a better idea to compare md5 strings inside a
sql query made from user input than doing this with uncontrolled user input.

Code: Select all

$md5_password = md5($password);
$md5_username = md5($username);

// add two fields in the database, md5_firstname CHAR(32) and md5_password 
CHAR(32), remove 'password' field

$sql = "SELECT lastname FROM users WHERE md5_password = '$md5_password' AND md5_firstname = '$md5_username'";
This way you do not have to check POST values for XSS as you do know, whatever
is inside will be encrypted and sanitized into a 32 chars alphanumeric string.

be well
tobozo
http://www.phpsecure.info/v2/.php?&l=us

Posted: Tue Aug 03, 2004 12:41 pm
by nigma
feyd wrote:I seriously don't appreciate the capslock usage in your posts ronjon.
lol