My Favorite Movies (first complete MySQL script)

[clown[NOR]]

Well.. here it is.. I've made a database for My Favorite Movies.. It contains a login function (for the admin), search function (not functional yet but i'm working on it), and you can sort movies after title or rating... i've also tried to protect the admin buy adding a validation check in some files that checks if the user is logged in or not...  but ATM it's only trough cookies... is that safe or should i use a field in the DB to check it up against?

 

please try it out...

http://nstclan.com/phpschool/mfm

 

Thanks In Advance

Regards,

Clown

[ted_chou12]

the idea is fairly cool..!

[obsidian]

Well, your login is very easy to bypass, and you're open to XSS in your entries. You'll notice that I entered a test movie with some javascript in the review that pops up in the first screen. Also, you're open to SQL injection in your ORDER BY clause when you sort by something.

[clown[NOR]]

oh schnap... hehe... how can i fix those things obsidian ??

[obsidian]

link=topic=135584.msg572003#msg572003 date=1176305672]

oh schnap... hehe... how can i fix those things obsidian ??

 

First off, I'm not positive as to how you're handling your login, but all I had to do was leave both username and password blank, and I got in... I tried some SQL injection to see if I could actually hack a user account, and none of the basics worked, but you're not checking against empty strings. If you clean that up, the other should be fine. Also, it's not a bad thing to allow for HTML entry into the collections if you restrict the html they can use with something like strip_tags() around all the user input.

 

As for the SQL injection in your ORDER BY clause, you should never take any values that the user could possibly tamper with and throw them straight into a query. In this case, you're doing something similar to this apparently:

SELECT * FROM mfm_movies ORDER BY $_GET['sort']

 

The problem is, all I had to do was start putting ?sort=1, ?sort=2, etc into the URL to figure out how many columns you have in your table (I believe it's 9, right?). Once I know that, if I were to really want to do some damage, I could start throwing some UNION clauses into your query and go from there to pull other table information and possibly even start harvesting data from other tables.

 

Obviously, I'm not out to get anyone, but I do want to find and point out some of the flaws and holes to you so you can avoid them. You need to filter all query data that a user could tamper with. Also, you need to screen all queries to die gracefully with a simple error of your choosing instead of letting mysql post errors that will give database information away.

 

Hope this helps get you on your way. If I had more time, I'd try to delve a little deeper, but I think that's enough to get you going.

 

Good luck!

[clown[NOR]]

yeah...thanks alot man... i'm allready working on some things here, atleast wikipedia said this was an SQL injection secure way to do it:

 

	$result = mysql_query
(
	"select * from mfm_users where username = '"
.
	mysql_real_escape_string($mfm_USER)
.
	"'"
);