Mutley Posted July 5, 2008 Share Posted July 5, 2008 I have a simple login script (seen below) it would appear people are finding ways of bypassing it due to the site being defaced frequently. I'm guessing it's something simple like adding code into the forms, I've now got a few functions that remove all bad characters, so hopefully that solves it (I've not pasted the functions into the below) I'm just curious what is wrong with it. <?php ]if(!empty($_COOKIE['id']) && !empty($_COOKIE['pass'])) { $id = htmlspecialchars($_COOKIE['id'], ENT_QUOTES); $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES); $check = mysql_query("SELECT * FROM users WHERE password = '$pass' AND id = '$id'") or die(mysql_error()); if(mysql_num_rows($check) <> 1) { echo "No access granted with your current user data"; exit(); } else { ?> <br /><br /> <?php } } else { if ($_POST['login']) { // The form has been submitted, so... $username = $_POST['username']; $password = md5($_POST['password']); // The above lines set variables with the submitted information. $info = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error()); $data = mysql_fetch_array($info); if($data[password] != $password) { // The password was not the user's password! echo "Incorrect username or password!"; } else { // The password was right! $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error()); $user = mysql_fetch_array($query); // Gets the user's information setcookie("id", $user[id],time()+(60*60*24*5), "/", ""); setcookie("pass", $user[password],time()+(60*60*24*5), "/", ""); // The above lines set 2 cookies. 1 with the user's id and another with his/her password echo ("<meta http-equiv=\"Refresh\" content=\"0; URL=login.php\"/>Thank-you. You will be redirected."); // Above line has redirect URL! Must return back to login page } } else { ?> <center> Please login: <br /><br /> <form method="post" action="login.php"> <table width="100%" border="0" cellspacing="0" cellpadding="3"> <tr> <td align="center"> Username: <input class="login" type="text" size="15" maxlength="25" name="username" /> </td> </tr> <tr> <td align="center"> Password: <input class="login" type="password" size="15" maxlength="25" name="password" /> </td> </tr> <tr> <td align="center"> <input class="submitbutton" type="submit" name="login" value="Login" /> </td> </tr> </table> </form> </center> Link to comment https://forums.phpfreaks.com/topic/113341-exploit-help-for-login-script/ Share on other sites More sharing options...
LooieENG Posted July 5, 2008 Share Posted July 5, 2008 $username = mysql_real_escape_string($_POST['username']); Also, use mysql_real_escape_string on $_COOKIE['id'] and $_COOKIE['pass'] Link to comment https://forums.phpfreaks.com/topic/113341-exploit-help-for-login-script/#findComment-582314 Share on other sites More sharing options...
azfar siddiqui Posted July 8, 2008 Share Posted July 8, 2008 there is a PHP function , which rejects all such issues mysql_real_escape_string($string) Link to comment https://forums.phpfreaks.com/topic/113341-exploit-help-for-login-script/#findComment-584316 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.