PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Jun 03, 2020 7:50 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: injection problem
PostPosted: Tue Jan 25, 2005 11:57 pm 
Offline
DevNet Master
User avatar

Joined: Tue Dec 28, 2004 6:57 pm
Posts: 2745
Location: Tallinn, Estonia
is this secure? iv tried simple injections on it and they havnt worked. what u say?

Syntax: [ Download ] [ Hide ]
$sql = mysql_query(\"SELECT * FROM users WHERE username='$username' AND password='$password'\");

$login_check = mysql_num_rows($sql);



if($login_check > 0){

        if (!isset($_SESSION['username'])) {

                session_register('username');

        $_SESSION['username'] = $username;

                }

                if (!isset ($_SESSION['password'])){

        session_register('password');

        $_SESSION['password'] = $password;

                }

                if (!isset ($_SESSION['usersid'])){

                session_register('usersid');

                while ($rdz = mysql_fetch_assoc($sql)) {

                $_SESSION['usersid'] = $rdz['usersid'];

                        }

                }

}else{

header('location: login.php?id=85');

}


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 26, 2005 12:15 am 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
it's as secure as how $username and $password are set. How are they set in this example? What version of php would this run against?


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 28, 2005 8:40 pm 
Offline
DevNet Master
User avatar

Joined: Tue Dec 28, 2004 6:57 pm
Posts: 2745
Location: Tallinn, Estonia


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 29, 2005 3:51 pm 
Offline
Forum Contributor

Joined: Sun Jul 11, 2004 1:27 pm
Posts: 102


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 29, 2005 4:20 pm 
Offline
Forum Regular
User avatar

Joined: Sun Feb 29, 2004 2:26 pm
Posts: 939
Location: UK - Glasgow


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 29, 2005 4:52 pm 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 01, 2005 1:08 am 
Offline
Forum Contributor
User avatar

Joined: Mon Jun 14, 2004 10:39 am
Posts: 259
Location: Amerika


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 02, 2005 4:38 am 
Offline
Forum Newbie

Joined: Wed Feb 02, 2005 4:36 am
Posts: 2
...magic_quotes_gpc.....set them or do 'foreach' loops and manually set them..that will solve a lot of injection problems.

if you have the SQL statement set to "username='$username' .." etc, you don't need to strip out the characters that would allow for wild-cards. However "username like '$username' ..." then you would have problems with that. :)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 02, 2005 5:02 am 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium
something like

Syntax: [ Download ] [ Hide ]
function sql()

{

    $args = func_get_args();

    $format = array_shift($args);



    if (!get_magic_quotes_gpc())

    {

        for ($i = 0; $i < count($args); ++$i)

        {

            $args[$i] = mysql_escape_string($args[$i]);

        }

    }



    return vsprintf($format, $args);

}



$sql = sql(\"SELECT * FROM foo WHERE bar = %d\", $id);


Top
 Profile  
 
 Post subject: Re: injection problem
PostPosted: Sun Feb 06, 2005 12:37 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124
> is this secure? iv tried simple injections on it and they havnt worked.

The only way this could be more insecure is if the entire SQL query was provided by the user (rather than just part of it).

Out of curiosity, what simple injections have you tried? Every one I can think of should work just fine and alert you to the vulnerability.

> $login_check = mysql_num_rows($sql);

As a side note, it's best to name result sets something like $result instead of $sql. The misleading variable name can cause confusion, as this code demonstrates. You can't use mysql_num_rows() on an SQL statement.

> if (!isset($_SESSION['username'])) {
> session_register('username');
> $_SESSION['username'] = $username;
> }

There's no need for session_register(). Also, it's nice to be able to consider session data safe. When you assign tainted data to a session variable, you prevent this.

> header('location: login.php?id=85');

The Location header requires an absolute URL, not a relative one.

To help prevent SQL injection, you need to always filter your data on input and properly escape your data on output. When sending data to a MySQL database, this means using mysql_real_escape_string().

For more information, see:

http://shiflett.org/articles/security-corner-apr2004
http://phpsec.org/projects/guide/3.html#3.2
http://www.unixwiz.net/techtips/sql-injection.html


Top
 Profile  
 
 Post subject:
PostPosted: Thu Feb 10, 2005 9:29 am 
Offline
Forum Newbie
User avatar

Joined: Mon Dec 13, 2004 4:20 pm
Posts: 11


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group