Question Reguarding Sql Injection Defence

Full Version: Question Reguarding Sql Injection Defence

GovernmentSecurity.org > System Security > System Hardening

PiP

May 26 2004, 02:53 AM

Can anyone see any problems in my php login script that would allow someone to use sql injection techniques to gain access ?

or any other problems for that matter (reguarding the method i use to store/verify the hash/password)?

$luser = username passed to the php page
$lpword = password passed to the php page

CODE

$query ="SELECT name, password, type FROM user_accounts WHERE name='$luser'";
$result = mysql_query($query, $link);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
$num_rows = mysql_num_rows($result);
if($num_rows > 0){
list($name, $password, $type) = mysql_fetch_row($result);

$salt = substr($password, 0, 11);
$thehash = substr($password, 11, (strlen($password)));

$testp = $salt;
$testp .= $lpword;
$testhash = sha1($testp);

if($testhash == $thehash && $name == $luser && $type != "G") {
echo("Correct Password & Username, Logging you in now");
echo "<script>document.location='verify.php?cookie=set&nme={$name}&pwrd={$thehash}'</script>";
}else{
echo("Wrong Password or Username, or account has not yet been verified (check email).");
}
}else{
echo("Wrong Password or Username, or account has not yet been verified.");
}

JonJon

Sep 12 2004, 12:21 PM

i recommend using a function like htmlspecialchars
or htmlentites or addslashed on $luser, so no special chars would be added

x303

Sep 14 2004, 12:03 PM

you could add this to verify:

CODE

if(!preg_match("/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix",$text))
{
do_something();
}

..from SecurityFocus

MrK

Oct 26 2004, 11:21 AM

QUOTE(PiP @ May 26 2004, 03:53 AM)

Can anyone see any problems in my php login script that would allow someone to use sql injection techniques to gain access ?

[code]
$query ="SELECT name, password, type FROM user_accounts WHERE name='$luser'";

Hi

Just for some background ... if you're not filtering $luser before passing it to the DB then yes, there are issues. By including an apostrophe in that string, that finishes the first set of quotes. Then arbitrary SQL can be included. Finally, we have to deal with the last quote, so mysql supports three different types of comments: the '#' character, the MS-SQL style '--' delimeter, and the C-style '/* and */'. So $luser could be something as trivial as

"foo'; drop database bar; --"

which will silently drop the db if privilege allows ... however, using different techniques, it may be possible to actually circumvent the login script, by causing an update statement to be run to set password to a known value for a given user, allowing a second attempt at running the script to authenticate. It all depends on DB permissions and if your algorithm is known ... but you probably already knew that

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.