Jump to content


Photo

Login safety - SQL injection?


  • Please log in to reply
4 replies to this topic

#1 steff_dk

steff_dk
  • Members
  • PipPip
  • Member
  • 17 posts
  • LocationSilkeborg, Denmark

Posted 16 October 2006 - 07:45 PM

I'm using this login script on a page, but I fear I have some serious safety issues:

How can I check if the variables were posted from the login.htm page?
Other comments on the safety issues are highly appreciated. Gotta stay cracker-safe  ;)

Cheers,

Steff

<?PHP

$user = $_POST['username'];
$pass = md5($_POST['password']);


//set the database connection variables

$dbHost = "localhost";
$dbUser = "myUserName";
$dbPass = "myPwd";
$dbDatabase = "somedomain_dk";

//connect to the database

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

$result=mysql_query("select * from siteadmins where username='$user' AND password='$pass'", $db);

//check that at least one row was returned

$rowCheck = mysql_num_rows($result);
if($rowCheck > 0){
while($row = mysql_fetch_array($result)){

  //start the session and register a variable

  session_start();
  session_register('username');


  //Redirect the user to another page where we will make sure the session 'username' is started.
  header( "Location: admin.php" );

  }

  }
  else {

  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Invalid username or password.';
  }

  ?>


#2 neoform

neoform
  • Members
  • PipPipPip
  • Advanced Member
  • 241 posts
  • LocationMontreal

Posted 16 October 2006 - 08:22 PM

You can't verify a user's referral page with any certaintly since the user's client can easily lie by modifying it's header information.

a standard way to authenticate a user is to create a cookie (or session, whichever you want) containing the user's login and md5(password) and check on every pageload that those two credentials match the info that's in the database.
Newsique.com Social News Network

#3 alpine

alpine
  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 16 October 2006 - 08:29 PM

Another idea:

Generate and insert a random string (md5 or sha1 for instance) and a timestamp to a mysql table upon loading the login-form, and pass the generated random value along in a hidden field in the login form.
Before allowing a query for a valid user in the result page, check the random string against a match in the "random" table. This way you can be pretty sure that it is a genuine login attempt.
Delete all random strings older than e.g. 10 minutes or something in your login script just to clean up.

EDIT**

Also, in your current script you are pretty much wide open to allow injection attempts, always filter users input before letting it pass to the query. Just to switch the WHERE clause would make things alot safer by first matching the password and then matching the username. Any injection attempt would have to know the password rather than the easier (normally) username to open up.

A small rewrite that should improve the total:

<?php

if(!empty($_POST['username']) && !empty($_POST['password']))
{
$user = htmlspecialchars($_POST['username']);
$pass = md5(htmlspecialchars($_POST['password']));
$dbHost = "localhost";
$dbUser = "myUserName";
$dbPass = "myPwd";
$dbDatabase = "somedomain_dk";
$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");
$result=mysql_query("select * from siteadmins where password='$pass' and username='$user'", $db);
if(mysql_num_rows($result) == "1")
{
session_start();
$_SESSION['username'] = $user;
header( "Location: admin.php" );
exit();
}
else
{
echo 'Invalid username or password.';
}
}
else
{
echo 'Missing required information';
}

?>


But still, you are relying on just one easy session with the username to verify access to your restricted area. A random db-stored string should might be of consideration aswell.

#4 steff_dk

steff_dk
  • Members
  • PipPip
  • Member
  • 17 posts
  • LocationSilkeborg, Denmark

Posted 17 October 2006 - 07:33 AM

SQL injection was a new concept for me.
Read this brilliant page afterwards: http://www.unixwiz.n...-injection.html

Couldn't I just MD5 both username and password to prevent SQL injection?

#5 mjlogan

mjlogan
  • Members
  • PipPipPip
  • Advanced Member
  • 122 posts

Posted 17 October 2006 - 09:01 AM

You could login to the top script without using a valid username or password.

If you encrypt the password it will have better security.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users