php sql injections please help. [Archive]

Click to See Complete Forum and Search --> : php sql injections please help.

william232

09-21-2006, 08:14 PM

A months ago i posted how to protect my login system

hi,all i just tried to hack in to my own site to see how secure it was and how i wanna clean up my code so no one can hack into my site using sql injections this is my login code

<?php
session_start();
$msg_pass="";
$msg_user="";
$username=trim($_POST['username']);
$password=trim($_POST['password']);
if($username && $password)
{
//include database
$cQuery="SELECT username,password FROM users WHERE username='".$username."'";
$rs=mysqli_query($con,$cQuery);
if($rs)
{
$count=mysqli_num_rows($rs);
if($count>0)
{
$ushapass=sha1($password,TRUE);
$data=mysqli_fetch_assoc($rs);
if($data['password']==$shapass)
{
$_SESSION['user']=$username;
}
else
{
$msg_pass="Wrong Password,Please Try again";
}
}
else
{
$msg_user="Wrong Username,Please Try again";
}
}
else
{
echo "Unable to excute the query:".mysqli_errno($con);
}
}

That is my Login code how can i go about fixing the sql injection in the login code can anyone help

Now i was given this function

function prepareData($data) {
if (get_magic_quotes_gpc())
$data = stripslashes($data);
return mysql_real_escape_string($data);
}

i was got told to do this

You would need to change

PHP Code:
$username=trim($_POST['username']);
$password=trim($_POST['password']);

to

PHP Code:
$username=prepareData($_POST['username']);
$password=prepareData($_POST['password']);

When i did that it worked but when i logged in as admin and typed 1=1-- it still let me is there anything wrong with my Login system?

Because this is what i have now.

<?php
session_start();
$msg_pass="";
$msg_user="";
$username=prepareData($_POST['username']);
$password=prepareData($_POST['password']);
if($username && $password)
{
//include database
$cQuery="SELECT username,password FROM users WHERE username='".$username."'";
$rs=mysqli_query($con,$cQuery);
if($rs)
{
$count=mysqli_num_rows($rs);
if($count>0)
{
$ushapass=sha1($password,TRUE);
$data=mysqli_fetch_assoc($rs);
if($data['password']==$shapass)
{
$_SESSION['user']=$username;
}
else
{
$msg_pass="Wrong Password,Please Try again";
}
}
else
{
$msg_user="Wrong Username,Please Try again";
}
}
else
{
echo "Unable to excute the query:".mysqli_errno($con);
}
}

creedo

09-22-2006, 04:07 AM

why dont you use make_safe function like this:

$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$username."' and Password = '".$password."'");

so when they inject something like this: ' OR 1=1 #

The following query will select from a database where the username is equal to "\' OR 1=1 #" which is perfectly safe. and one more thing to make it more secure be sure to validate it first before sending it to server like using javascript.

if you still encounter problem dont bother to email me..

william232

09-22-2006, 05:20 AM

Make safe isnt a function.

decibel

09-22-2006, 05:51 AM

make_safe isn't on php.net

Stephen Philbin

09-22-2006, 06:00 AM

I get the feeling Creedo had mysql_real_escape_string() (http://www.zend.com/manual/function.mysql-real-escape-string.php) in mind.

william232

09-22-2006, 06:50 AM

still how can i fix it?

Dopple

09-22-2006, 08:15 AM

how about using add_slashes();
PHP Code:
$username=add_slashes($_POST['username']);
$password=ad_slashes($_POST['password']);
I think you would then also have to use add_slashes when creating the user and password unless you don't allow non alphanumerical characters. It pretty much gets the same result as what Creedo advised.
Edit: if you still encounter problem dont bother to email me..
Ho ho ho.

william232

09-22-2006, 03:39 PM

i get undefined function add_slashes();

ronverdonk

09-22-2006, 06:47 PM

If it is not TOO much trouble, look every now and then at the php.net documentation and you'll see that he means the addslashes() function. You could have found that yourself.

Ronald :cool:

creedo

09-22-2006, 07:02 PM

sorry for my mistake..as i loook in my code i forgot to mention that make_safe is a user define function of add_slashes..to put it correctly include this function.

function make_safe($var){
$var = addslashes(trim($var));
return $var;
}

william232

09-22-2006, 07:33 PM

oh ok thanks ill try those you gave me :)

Shears

09-22-2006, 08:49 PM

addslashes() still leaves vunerabilities to SQL injection. mysql_real_escape_string() is a better option ;)

Shears

pcthug

09-22-2006, 11:45 PM

You should be the mysqli_real_escape_string (http://www.php.net/manual/en/function.mysqli-real-escape-string.php) function when working with the MySQL Improved Extension.

netbuddy

10-04-2006, 11:40 AM

I thought it was stripslashes() and strip_tags() to remove escaped character strings and to remove HTML code from a post vairable

I have read on the MySQL site about injection, it is wise to pay special attention to this point...

You can beef up your PHP untill the cows come home, if you have not implemented some MySQL functions within the server like using stored routines on the server, anyone with 1.5 brain cells can and will often attack the server directly rather than to access it via your site, all they need to know is the server URL and they can have a bot do the long leg work of hacking in or if they have managed to second guess your password and login credentials or managed to trick the server which hosts your PHP pages into delivering your script... your pretty much stuffed unless you account for security at both ends, MySQL and PHP, they both need some form of security as bith can be abused.

You should visit the MySQL website and take a peek at security.