Forums: Question Reguarding Sql Injection Defence - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Question Reguarding Sql Injection Defence is this vulnerable? - PHP & MySQL

#1 User is offline   PiP 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 172
  • Joined: 28-December 03

Posted 25 May 2004 - 06:53 PM

Can anyone see any problems in my php login script that would allow someone to use sql injection techniques to gain access ?

or any other problems for that matter (reguarding the method i use to store/verify the hash/password)?

$luser = username passed to the php page
$lpword = password passed to the php page

   $query ="SELECT name, password, type FROM user_accounts WHERE name='$luser'";
    $result = mysql_query($query, $link);
    if (!$result) {
       die('Invalid query: ' . mysql_error());
    }
    $num_rows = mysql_num_rows($result);
    if($num_rows > 0){
	list($name, $password, $type) = mysql_fetch_row($result);

	$salt = substr($password, 0, 11);
	$thehash = substr($password, 11, (strlen($password)));

	$testp = $salt;
	$testp .= $lpword;
	$testhash = sha1($testp);

	if($testhash == $thehash && $name == $luser && $type != "G") {
  echo("Correct Password & Username, Logging you in now");
  echo "<script>document.location='verify.php?cookie=set&nme={$name}&pwrd={$thehash}'</script>";
	}else{
  echo("Wrong Password or Username, or account has not yet been verified (check email).");
	}
    }else{
  echo("Wrong Password or Username, or account has not yet been verified.");
    }

0

#2 User is offline   JonJon 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 49
  • Joined: 16-December 03

Posted 12 September 2004 - 04:21 AM

i recommend using a function like htmlspecialchars
or htmlentites or addslashed on $luser, so no special chars would be added
0

#3 User is offline   x303 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 28
  • Joined: 04-February 04

Posted 14 September 2004 - 04:03 AM

you could add this to verify: 
if(!preg_match("/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix",$text))
{
  do_something();
}

..from SecurityFocus
0

#4 Guest_MrK_*

  • Group: Guests

Posted 26 October 2004 - 03:21 AM

PiP, on May 26 2004, 03:53 AM, said:

Can anyone see any problems in my php login script that would allow someone to use sql injection techniques to gain access ?

[code]
    $query ="SELECT name, password, type FROM user_accounts WHERE name='$luser'";


Hi

Just for some background ... if you're not filtering $luser before passing it to the DB then yes, there are issues. By including an apostrophe in that string, that finishes the first set of quotes. Then arbitrary SQL can be included. Finally, we have to deal with the last quote, so mysql supports three different types of comments: the '#' character, the MS-SQL style '--' delimeter, and the C-style '/* and */'. So $luser could be something as trivial as

"foo'; drop database bar; --"

which will silently drop the db if privilege allows ... however, using different techniques, it may be possible to actually circumvent the login script, by causing an update statement to be run to set password to a known value for a given user, allowing a second attempt at running the script to authenticate. It all depends on DB permissions and if your algorithm is known ... but you probably already knew that :)
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting