|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 74
Members: 0
Total: 74
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
PHP code to prevent |
|
Posted: Wed Jan 03, 2007 11:09 pm |
|
|
Lord_Vader |
Regular user |
|
|
Joined: Jan 04, 2007 |
Posts: 5 |
Location: Netherlands |
|
|
|
|
|
|
We all know this code is vunarable for SQL injection:
Code: |
$user=$_POST['username'];
$pass=$_POST['password'];
$result=mysql_query("SELECT * FROM admin_users WHERE user='$user' AND pass='$pass'");
$row=mysql_fetch_row($result);
if($row==0)
{
die("Wrong login!");
}
|
But what should I use then?
I'm stuck here.
Thanks in advance |
|
|
|
|
|
|
|
|
Posted: Thu Jan 04, 2007 12:01 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This code by himself does not contain sql injection, because of the single quotes, surrounding input variables. Now, most of the real world php-enabled webservers are configured with "magic_quotes=on", so sql injection attempts will fail.
IF and only IF you encounter webserver with "magic_quotes=off", ten you can have sql injection case here, if there is no additional php code, responsible for input data sanitize.
In the last case you can try this username:
'OR 1=1 LIMIT 1/*
and let the password be whatever you want.
Then beause of the sql injection you will be loged on as first admin in table.
By the way, php pcode wants POST method, so you need manually crafted html file for exploiting.
P.S. I figured it out, that you asked question from webmaster's point of view, not from attacker's. So you want better code?
First of all, don't use plaintext passwords in database, better use salted md5 hashes. |
|
|
|
|
|
|
|
|
Posted: Thu Jan 04, 2007 12:31 pm |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
|
|
|
|
Posted: Mon Jan 08, 2007 12:54 am |
|
|
Lord_Vader |
Regular user |
|
|
Joined: Jan 04, 2007 |
Posts: 5 |
Location: Netherlands |
|
|
|
|
|
|
Ok, I get it. Thanks for the replies.
I use mysql_real_escape_string() for security.
@waraxe: Yes, I use MD5, but I only posted part of my code |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|