Jump to content

Login safety - SQL injection?


steff_dk

Recommended Posts

I'm using this login script on a page, but I fear I have some serious safety issues:

How can I check if the variables were posted from the login.htm page?
Other comments on the safety issues are highly appreciated. Gotta stay cracker-safe  ;)

Cheers,

Steff

[code]<?PHP

$user = $_POST['username'];
$pass = md5($_POST['password']);


//set the database connection variables

$dbHost = "localhost";
$dbUser = "myUserName";
$dbPass = "myPwd";
$dbDatabase = "somedomain_dk";

//connect to the database

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

$result=mysql_query("select * from siteadmins where username='$user' AND password='$pass'", $db);

//check that at least one row was returned

$rowCheck = mysql_num_rows($result);
if($rowCheck > 0){
while($row = mysql_fetch_array($result)){

  //start the session and register a variable

  session_start();
  session_register('username');


  //Redirect the user to another page where we will make sure the session 'username' is started.
  header( "Location: admin.php" );

  }

  }
  else {

  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Invalid username or password.';
  }

  ?>[/code]
Link to comment
Share on other sites

You can't verify a user's referral page with any certaintly since the user's client can easily lie by modifying it's header information.

a standard way to authenticate a user is to create a cookie (or session, whichever you want) containing the user's login and md5(password) and check on every pageload that those two credentials match the info that's in the database.
Link to comment
Share on other sites

Another idea:

Generate and insert a random string (md5 or sha1 for instance) and a timestamp to a mysql table upon loading the login-form, and pass the generated random value along in a hidden field in the login form.
Before allowing a query for a valid user in the result page, check the random string against a match in the "random" table. This way you can be pretty sure that it is a genuine login attempt.
Delete all random strings older than e.g. 10 minutes or something in your login script just to clean up.

EDIT**

Also, in your current script you are pretty much wide open to allow injection attempts, always filter users input before letting it pass to the query. Just to switch the WHERE clause would make things alot safer by first matching the password and then matching the username. Any injection attempt would have to know the password rather than the easier (normally) username to open up.

A small rewrite that should improve the total:
[code]

<?php

if(!empty($_POST['username']) && !empty($_POST['password']))
{
$user = htmlspecialchars($_POST['username']);
$pass = md5(htmlspecialchars($_POST['password']));
$dbHost = "localhost";
$dbUser = "myUserName";
$dbPass = "myPwd";
$dbDatabase = "somedomain_dk";
$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");
$result=mysql_query("select * from siteadmins where password='$pass' and username='$user'", $db);
if(mysql_num_rows($result) == "1")
{
session_start();
$_SESSION['username'] = $user;
header( "Location: admin.php" );
exit();
}
else
{
echo 'Invalid username or password.';
}
}
else
{
echo 'Missing required information';
}

?>

[/code]

But still, you are relying on just one easy session with the username to verify access to your restricted area. A random db-stored string should might be of consideration aswell.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.