Jump to content

Mysql_Real_Escape_String To Protect My Site

the-botman

By the-botman
in MySQL Help

 Share

Recommended Posts

the-botman Regular Member

the-botman

Posted
Posted (edited)

heya i really need some help, i am trying to add mysql_real_escape_string to protect against injection attacks but this statment gives me an error

$SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".mysql_real_escape_string($Post_Username)."'");

the error message is Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 28 Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: A link to the server could not be established in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 28

 

but this is my old code and i get no errors and it works 100% just its not protected against injection attacks 

$SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'");

 

This is my current login function

function Login($Post_Username, $Post_Password) {
 $Result = "Invalid Username/Password";

 $string1 = $Post_Password;
 $salt = 's+(_a*';
 $encrypted_mypassword = md5($string1.$salt); 
 $SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'");
 $RowCnt = mysql_numrows($SqlResult);
If ($RowCnt >= 1) {
 $Usr_Id = mysql_result($SqlResult,0,"Usr_Id");
 $Usr_AccessLevel = mysql_result($SqlResult,0,"Usr_AccessLevel");
 $Usr_Password = mysql_result($SqlResult,0,"Usr_Password");
 if ($encrypted_mypassword == $Usr_Password) {
 session_start(); 
 $_SESSION['leveladd'] = $Usr_AccessLevel;
 $_SESSION['Usr_Id'] = $Usr_Id;
 $_SESSION['logged'] = $Post_Username;
 $Result = "True"; 
 }
}
return $Result;
}

Please advise me on what im doing wrong i really need to secure my login page

 

Thanks in Advance

Zain

Edited by the-botman
Link to comment
Share on other sites
the-botman Regular Member

the-botman

Posted
  • Author
Posted

i also tried

$SqlResult = MySqlSelect(sprintf("SELECT * FROM `cpanel_users` WHERE Usr_Username='%s'",mysql_real_escape_string($Post_Username)));

but i get this error Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: A link to the server could not be established in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: sprintf() [0function.sprintf0]: Too few arguments in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: mysql_numrows() expects parameter 1 to be resource, boolean given in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 29

Link to comment
Share on other sites
ManiacDan Regular Member

ManiacDan

Posted
Posted

To clarify: If your MySqlSelect function establishes a database connection (it shouldn't, that's wrong), that will happen AFTER your call to mysql_real_escape_string, which requires a pre-existing database connection. Establish the connection before you build the query, or used PDO and prepared statements.

Link to comment
Share on other sites
the-botman Regular Member

the-botman

Posted
  • Author
Posted (edited)

this is the MySqlSelect function 

function MySqlSelect($TSqlQuery) {
$Conn = mysql_connect($GLOBALS["DbIP"].':'.$GLOBALS["DbPort"],$GLOBALS["DbUser"],$GLOBALS["DbPword"]);
@mysql_select_db($GLOBALS["DbName"]) or die( '<html><font face="Verdana" size="2"><b>Bhawap</b> - <u>Control Panel</u></font><font face="Verdana" size="1"><br>Database not available. Please contact our Support team at Support@FinestSolutions.co.za for further assistance.</font><br></html>');
$SqlResult=mysql_query($TSqlQuery);
mysql_close();
return $SqlResult;
}

 

what i dont understand is how does it connect with the script the way i have it now and it wont when i try and use mysql_real_escape_string and what would be a way around this or the way i should be doing it using the code as i have it

Edited by the-botman
Link to comment
Share on other sites
ManiacDan Regular Member

ManiacDan

Posted
Posted

Because...like I already said, the mysql_real_escape_string is being run before the function is called (that's how programming languages work, from the inside out). Since your function incorrectly establishes a database connection inside of itself, the m_r_e_s is being called before the connection is established, which throws an error.

 

And the solution, like I already said, is to establish a database connection FIRST. If you have 400 queries on your page you'll be establishing 400 database connections, which is 399 too many.

 

You also assign the connection to $Conn without ever using $Conn.

Link to comment
Share on other sites
the-botman Regular Member

the-botman

Posted
  • Author
Posted (edited)

ok after reading what you said this is what i took from it, it works 100% i just need you t0 tell me if this is the best way to do this

function Login($Post_Username, $Post_Password) {
$Result = "Invalid Username/Password";

 $string1 = $Post_Password;
$salt = 's+(_a*';
$encrypted_mypassword = md5($string1.$salt);
mysql_connect($GLOBALS["DbIP"].':'.$GLOBALS["DbPort"],$GLOBALS["DbUser"],$GLOBALS["DbPword"]);
mysql_select_db($GLOBALS["DbName"]) or die( '<html><font face="Verdana" size="2"><b>Bhawap</b> - <u>Control Panel</u></font><font face="Verdana" size="1"><br>Database not available. Please contact our Support team at Support@FinestSolutions.co.za for further assistance.</font><br></html>');
$Post_Username = mysql_real_escape_string($Post_Username);
$SqlResult = "Select * From cpanel_users WHERE Usr_Username='" . $Post_Username . "'";
$SqlResult=mysql_query($SqlResult);
$RowCnt = mysql_numrows($SqlResult);

If ($RowCnt >= 1) {
$Usr_Id = mysql_result($SqlResult,0,"Usr_Id");
$Usr_AccessLevel = mysql_result($SqlResult,0,"Usr_AccessLevel");
$Usr_Password = mysql_result($SqlResult,0,"Usr_Password");

if ($encrypted_mypassword == $Usr_Password) {
session_start();
$_SESSION['leveladd'] = $Usr_AccessLevel;
$_SESSION['Usr_Id'] = $Usr_Id;
$_SESSION['logged'] = $Post_Username;
$Result = "True";
}
}
mysql_close();
return $Result;
}

Edited by the-botman
Link to comment
Share on other sites
ManiacDan Regular Member

ManiacDan

Posted
Posted

1) Don't use md5, it's insecure, even with a salt (especially with a 5-character salt). Use at least sha1, but there's a password thread in the forums about how to do it properly.

 

2) mysql_ functions are deprecated, you should use the mysqli_ equivalent, or PDO

 

3) You should be using the boolean values for true and false, not the word "true" (though your other return is an actual error message).

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.