Page 2 of 2

Posted: Sat Feb 11, 2006 5:17 pm
by josh
No that is not what we mean, we mean something like:

Code: Select all

$admin = 0;
mysql_query("INSERT INTO `users` (`username`, `password`, `admin`) VALUES ('$username', '$password', '$admin')");
Someone could set admin to 1 by sending this as their password:

Code: Select all

foobar', '1')--
Put that in place of $password and you'll see what I mean, that is called SQL injection and we have already discussed that in this thread. In case you're wondering the -- tells mysql to ignore the rest of the query. mysql_real_escape_string would have replaced the quote after foobar with a \' which tells mysql that the quote is to be part of the password itself.

Also you should have a limit on the username length in addition to this, as you can see this exploit is less then 25 characters and gives the attacker admin access

Posted: Sat Feb 11, 2006 5:33 pm
by No0b
But I don't want the password to have ', ", \, /, or anyothers. How will I do this?

Edit:

I put

Code: Select all

foobar', '1')--
in my username and I don't see what it did??? it just turns out looking like

Hello foobar\', \'1\')--! Log Out

what's it suppose to do???

Posted: Sat Feb 11, 2006 7:45 pm
by josh
You need to use preg_match() to limit the password to certain characters and lengths

Posted: Sat Feb 11, 2006 10:45 pm
by a94060
u might be able to,but that does not prevent the input of tags like <br> or any others. It mayalso allow other powerful scripts such as asp or PHP and java to acces ur server. This may cause unwanted info to be displayed.

Posted: Sat Feb 11, 2006 10:49 pm
by feyd
who are you responding to a94060?