Jump to content

Recommended Posts

heya i really need some help, i am trying to add mysql_real_escape_string to protect against injection attacks but this statment gives me an error

$SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".mysql_real_escape_string($Post_Username)."'");

the error message is Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 28 Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: A link to the server could not be established in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 28

 

but this is my old code and i get no errors and it works 100% just its not protected against injection attacks

$SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'");

 

This is my current login function

function Login($Post_Username, $Post_Password) {
 $Result = "Invalid Username/Password";

 $string1 = $Post_Password;
 $salt = 's+(_a*';
 $encrypted_mypassword = md5($string1.$salt); 
 $SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'");
 $RowCnt = mysql_numrows($SqlResult);
If ($RowCnt >= 1) {
 $Usr_Id = mysql_result($SqlResult,0,"Usr_Id");
 $Usr_AccessLevel = mysql_result($SqlResult,0,"Usr_AccessLevel");
 $Usr_Password = mysql_result($SqlResult,0,"Usr_Password");
 if ($encrypted_mypassword == $Usr_Password) {
 session_start(); 
 $_SESSION['leveladd'] = $Usr_AccessLevel;
 $_SESSION['Usr_Id'] = $Usr_Id;
 $_SESSION['logged'] = $Post_Username;
 $Result = "True"; 
 }
}
return $Result;
}

Please advise me on what im doing wrong i really need to secure my login page

 

Thanks in Advance

Zain

Edited by the-botman

i also tried

$SqlResult = MySqlSelect(sprintf("SELECT * FROM `cpanel_users` WHERE Usr_Username='%s'",mysql_real_escape_string($Post_Username)));

but i get this error Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: A link to the server could not be established in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: sprintf() [0function.sprintf0]: Too few arguments in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: mysql_numrows() expects parameter 1 to be resource, boolean given in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 29

To clarify: If your MySqlSelect function establishes a database connection (it shouldn't, that's wrong), that will happen AFTER your call to mysql_real_escape_string, which requires a pre-existing database connection. Establish the connection before you build the query, or used PDO and prepared statements.

this is the MySqlSelect function

function MySqlSelect($TSqlQuery) {
$Conn = mysql_connect($GLOBALS["DbIP"].':'.$GLOBALS["DbPort"],$GLOBALS["DbUser"],$GLOBALS["DbPword"]);
@mysql_select_db($GLOBALS["DbName"]) or die( '<html><font face="Verdana" size="2"><b>Bhawap</b> - <u>Control Panel</u></font><font face="Verdana" size="1"><br>Database not available. Please contact our Support team at Support@FinestSolutions.co.za for further assistance.</font><br></html>');
$SqlResult=mysql_query($TSqlQuery);
mysql_close();
return $SqlResult;
}

 

what i dont understand is how does it connect with the script the way i have it now and it wont when i try and use mysql_real_escape_string and what would be a way around this or the way i should be doing it using the code as i have it

Edited by the-botman

Because...like I already said, the mysql_real_escape_string is being run before the function is called (that's how programming languages work, from the inside out). Since your function incorrectly establishes a database connection inside of itself, the m_r_e_s is being called before the connection is established, which throws an error.

 

And the solution, like I already said, is to establish a database connection FIRST. If you have 400 queries on your page you'll be establishing 400 database connections, which is 399 too many.

 

You also assign the connection to $Conn without ever using $Conn.

ok after reading what you said this is what i took from it, it works 100% i just need you t0 tell me if this is the best way to do this

function Login($Post_Username, $Post_Password) {
$Result = "Invalid Username/Password";

 $string1 = $Post_Password;
$salt = 's+(_a*';
$encrypted_mypassword = md5($string1.$salt);
mysql_connect($GLOBALS["DbIP"].':'.$GLOBALS["DbPort"],$GLOBALS["DbUser"],$GLOBALS["DbPword"]);
mysql_select_db($GLOBALS["DbName"]) or die( '<html><font face="Verdana" size="2"><b>Bhawap</b> - <u>Control Panel</u></font><font face="Verdana" size="1"><br>Database not available. Please contact our Support team at Support@FinestSolutions.co.za for further assistance.</font><br></html>');
$Post_Username = mysql_real_escape_string($Post_Username);
$SqlResult = "Select * From cpanel_users WHERE Usr_Username='" . $Post_Username . "'";
$SqlResult=mysql_query($SqlResult);
$RowCnt = mysql_numrows($SqlResult);

If ($RowCnt >= 1) {
$Usr_Id = mysql_result($SqlResult,0,"Usr_Id");
$Usr_AccessLevel = mysql_result($SqlResult,0,"Usr_AccessLevel");
$Usr_Password = mysql_result($SqlResult,0,"Usr_Password");

if ($encrypted_mypassword == $Usr_Password) {
session_start();
$_SESSION['leveladd'] = $Usr_AccessLevel;
$_SESSION['Usr_Id'] = $Usr_Id;
$_SESSION['logged'] = $Post_Username;
$Result = "True";
}
}
mysql_close();
return $Result;
}

Edited by the-botman

1) Don't use md5, it's insecure, even with a salt (especially with a 5-character salt). Use at least sha1, but there's a password thread in the forums about how to do it properly.

 

2) mysql_ functions are deprecated, you should use the mysqli_ equivalent, or PDO

 

3) You should be using the boolean values for true and false, not the word "true" (though your other return is an actual error message).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.