Trium918 Posted May 4, 2007 Share Posted May 4, 2007 Would someone please explain to me why my code is vulnerable to Injections, and how do I test against it? Where would the attack accrue ? <?php /*SQL injections are probably one of the most common attacks nowadays. You might have heard of it, but you must really be sure that you understand how such attacks work. Imagine the following piece of PHP code:*/ <?php // db connection.. $res = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'"); if(mysql_num_rows($res) > 0) { // user has been authenticated.. } /*To some of you that may look scary, and that's good. It is scary. Imagine that the value of*/ $_POST['password'] /*would be*/ "foo' OR 1=1". /*Here is what the query would look like at runtime.*/ SELECT * FROM users WHERE username = 'johndoe' AND password = 'foo' OR 1=1 ?> Quote Link to comment Share on other sites More sharing options...
obsidian Posted May 4, 2007 Share Posted May 4, 2007 The code you posted actually shows right in it why it's vulnerable. All someone has to do is enter the following into the username field at login, and they will be logged in as the first user in your database: ' or 1=1 -- This will run the following query: SELECT * FROM users WHERE username = '' or 1=1 -- AND password = ''; The '--' is a comment in MySQL, so everything after that is ignored. In essence, this script will allow me to log in as the first user in the database (or any other user I choose if I play around with the query a bit more). Quote Link to comment Share on other sites More sharing options...
DaveEverFade Posted May 4, 2007 Share Posted May 4, 2007 Well the you're putting the password straight from $_POST in the database! Big no no... Somebody could enter the password as somthing' or password <> 'somthing or similar, gaining access to the site. You might want to read up on some articles about this. There are a few ways to do it, I tend to use mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
Trium918 Posted May 4, 2007 Author Share Posted May 4, 2007 ' or 1=1 -- works like a charm. Ok, how would the code below help to prevent the problem? How would I apply to my code? Example please! <?php function escape_for_mysql($data) { // if magic_quotes_gpc is on, strip the slashes it added if(get_magic_quotes_gpc()) { $data = stripslashes($data); } return mysql_real_escape_string($data); } ?> Quote Link to comment Share on other sites More sharing options...
DaveEverFade Posted May 4, 2007 Share Posted May 4, 2007 From what I understand it escapes nasty things like ' by putting a \ in front of them (so MySQL ignores them) Quote Link to comment Share on other sites More sharing options...
Trium918 Posted May 4, 2007 Author Share Posted May 4, 2007 From what I understand it escapes nasty things like ' by putting a \ in front of them (so MySQL ignores them) Yes, I understand, but how would I apply the function to every form field that is inserted into the database? Quote Link to comment Share on other sites More sharing options...
DaveEverFade Posted May 4, 2007 Share Posted May 4, 2007 Well, before your query could be somthing like this: $sql="SELECT stuff FROM DB where a=".escape_for_mysql($_POST['stuff']); If you see what I mean? Just call the function with the POST data... Quote Link to comment Share on other sites More sharing options...
cmgmyr Posted May 4, 2007 Share Posted May 4, 2007 $output = mysql_real_escape_string($input); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.