darkfreaks Posted December 24, 2008 Share Posted December 24, 2008 hey guys for some reason i keep finding SQL injection in username and password but i cant find it any pointers ??? <?php /* Process Login (login.pro.php) */ ob_start(); include "global.inc.php"; function clean($str) { $str = stripslashes(strip_tags(htmlspecialchars($str, ENT_QUOTES))); return $str; } if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } elseif(!get_magic_quotes_gpc()){ function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } if (get_magic_quotes_gpc()) { function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return htmlspecialchars($var); //PHP 4 Version } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); } elseif(!get_magic_quotes_gpc()){ function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return htmlspecialchars($var); //PHP 4 Version } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); } $encrypted_password =clean(stripslashes_deep(clean_post_var(md5($login_password)))); $login_username=clean(stripslashes_deep(clean_post_var($login_username))); $check = fetch("SELECT username,password FROM members2 WHERE username = '$login_username' AND password = '$encrypted_password' AND game = '$game'"); if ($check[username]) { $thepassword_in_db = clean_post_var(md5(sha1($login_password))); setcookie("username_$game",clean_post_var($check[username]),time()+2678400); setcookie("password_$game",clean_post_var($check[password]),time()+2678400); setcookie("phpqa_user_c", clean_post_var($check[username]), time()+99999); setcookie('phpqa_user_p', $thepassword_in_db, time()+99999); ?> Link to comment https://forums.phpfreaks.com/topic/138326-solved-leaking-injection/ Share on other sites More sharing options...
PFMaBiSmAd Posted December 24, 2008 Share Posted December 24, 2008 Where and how is $game being set? What is being injected and what is being accomplished by the injection? Link to comment https://forums.phpfreaks.com/topic/138326-solved-leaking-injection/#findComment-723289 Share on other sites More sharing options...
darkfreaks Posted December 24, 2008 Author Share Posted December 24, 2008 nevermind the post values are on another page i have to fix that! Link to comment https://forums.phpfreaks.com/topic/138326-solved-leaking-injection/#findComment-723292 Share on other sites More sharing options...
darkfreaks Posted December 24, 2008 Author Share Posted December 24, 2008 ok so that didnt help at all i still get 51 failures on login_username and login_password what am i doing wrong that the sanitization is being bypassed ??? i had this working yesterday Link to comment https://forums.phpfreaks.com/topic/138326-solved-leaking-injection/#findComment-723301 Share on other sites More sharing options...
PFMaBiSmAd Posted December 24, 2008 Share Posted December 24, 2008 The test, which you removed the name of when you edited your post, works by triggering query errors. What error resulted and what data did it use? Those pieces of information would help pinpoint what is going on. Your code is also using the "Tim Taylor - more power" approach to security and a lot of what it is doing is pointless and some of it is not doing enough. htmlspecialchars() does not operate on all the HTML special characters. Use htmlentities(). Using strip_tags() after using htmlspecialchars()/htmlentities() is a waste of processing time because there won't be any tags to strip because they would have already been converted to their entity version. An md5() of anything is safe from sql injection, so - clean(stripslashes_deep(clean_post_var(md5($login_password)))) is another waste of processing time. Passing all the post/get/cookie/request data through the stripslashes_deep and clean_post_var functions and then not using that data in the lines right before the query indicates that register_globals are on (which is a more serious problem than sql injection because session variables can be set by a hacker). You are using $login_password and $login_username directly in - clean(stripslashes_deep(clean_post_var(md5())). The only way they had values from your form is if register_globals are on. But the actual problem is you are using the clean() function last before you put the data into the query and clean() executes a stripslashes(), which removes anything that mysql_real_escape_string() added. Link to comment https://forums.phpfreaks.com/topic/138326-solved-leaking-injection/#findComment-723350 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.