SQL Injection alert!

  • Cheeseboy
  • Graduate
  • Graduate
  • Cheeseboy
  • Posts: 106

Post 3+ Months Ago

Hi it seems that i have a sql injection alert here but, i dont know how to fix it.


Code: [ Select ]
$query = "SELECT * FROM users
      WHERE user_name='$user_name' AND password='$password'";
  1. $query = "SELECT * FROM users
  2.       WHERE user_name='$user_name' AND password='$password'";








thx
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Vincent
  • Expert
  • Expert
  • User avatar
  • Posts: 721
  • Loc: Brisbane, Australia

Post 3+ Months Ago

how are the variables $user_name and $password defined? are they coming through post, cookies, get or sessions?
  • sevster
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 518

Post 3+ Months Ago

Yep, use sessions to fix it.
  • Cheeseboy
  • Graduate
  • Graduate
  • Cheeseboy
  • Posts: 106

Post 3+ Months Ago

its a query use sessions? could you post the code in its correct form please? i dont understand.
  • Vincent
  • Expert
  • Expert
  • User avatar
  • Posts: 721
  • Loc: Brisbane, Australia

Post 3+ Months Ago

set the sessions in the first page:
Code: [ Select ]
//Start Session
session_name('session_name');
session_start();

// Set Variables
$_SESSION['user'] = $username;
$_SESSION['pass'] = $password;
  1. //Start Session
  2. session_name('session_name');
  3. session_start();
  4. // Set Variables
  5. $_SESSION['user'] = $username;
  6. $_SESSION['pass'] = $password;



Send query on second page
Code: [ Select ]
//Start Session
session_name('session_name');
session_start();

// Send Query
$query = "SELECT * FROM users
      WHERE user_name='".$_SESSION['user']."' AND password='".$_SESSION['pass']."'";
  1. //Start Session
  2. session_name('session_name');
  3. session_start();
  4. // Send Query
  5. $query = "SELECT * FROM users
  6.       WHERE user_name='".$_SESSION['user']."' AND password='".$_SESSION['pass']."'";
  • this213
  • Guru
  • Guru
  • User avatar
  • Posts: 1260
  • Loc: ./

Post 3+ Months Ago

This looks like a query from a login script - where the user id would be set from the given username and password, so having a session wouldn't do you any good here. There are 2 points to be taken into consideration here:

1. Never pass raw data into MySQL. At the very least, addslashes() the value, so:
PHP Code: [ Select ]
<?php
 
$username = addslashes($_POST['username']);
 
?>
  1. <?php
  2.  
  3. $username = addslashes($_POST['username']);
  4.  
  5. ?>


2. Never store plain text passwords in the database (the database might be read by anyone with access to the file system). Common practice is to md5 the password when it's set going into the database, then to check the md5 value of the user input password when they try to login:
PHP Code: [ Select ]
<?php
 
$password = md5($_POST['password']);
 
?>
  1. <?php
  2.  
  3. $password = md5($_POST['password']);
  4.  
  5. ?>


These will fix your MySQL injection attack hole.

You shouldn't be using native PHP sessions if you're on a shared host. Your session files can be read by anyone with access to the same server. Because of this, you shouldn't use them at all so that your code is more portable without losing security. If you need session-like behavior, generate a random string and set that as a cookie, then associate it to a sessions table in your database.

No matter which method of sessions you use, you need to also validate that the session key is originating from the same client. Cookies, no matter if they're regular site cookies or PHP session cookies, can be sniffed, passed out by mistake or otherwise hijacked (google "session hijacking"), so you should be at the very least checking an md5 of the user agent string ($_SERVER['HTTP_USER_AGENT']) and possibly checking IP as well - depending on how secure you need your script.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

this213, is right with everything he said. I too also do most of those things including checking the useragent on login for a switch and checking the IP address as an option for the user.

When I code, I also don't trust ANYTHING, even an IP.

However, the bit about addslashes sorta works, but it's better to use more advanced things. One problem with PHP is that it will automatically addslashes() to scripts (If the magic quotes option is set and it usually is), so adding slashes would be like adding slashes over slashes so.... ' turns into \\' if you add slashes over slashes, and the backslashes are useless.

There are ways to solve this though.

PHP Code: [ Select ]
 
<?php
 
function SmartRemoveSlashes($value)
 
{
 
//This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
 
return (get_magic_quotes_gpc()) ? ((is_array($value)) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
 
}
 
 
 
//SO EXAMPLE:
 
$username = SmartRemoveSlashes($_REQUEST['username']);
 
$password = SmartRemoveSlashes($_REQUEST['password']);
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. function SmartRemoveSlashes($value)
  5.  
  6. {
  7.  
  8. //This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
  9.  
  10. return (get_magic_quotes_gpc()) ? ((is_array($value)) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
  11.  
  12. }
  13.  
  14.  
  15.  
  16. //SO EXAMPLE:
  17.  
  18. $username = SmartRemoveSlashes($_REQUEST['username']);
  19.  
  20. $password = SmartRemoveSlashes($_REQUEST['password']);
  21.  
  22. ?>
  23.  
  24.  


So now Username and Password are still open to injection but they don't have anything on them, so you won't have any problems with PHP already adding them.

Then, after that in this case you're using MySQL, so you would escape the data with mysql_real_escape_string() or just mysql_escape_string() if you have an older version. Think of this function as addslashes() on steroids, but it protects against other harmful characters.

Also if you are just expecting Integers, then use intval($input) on raw data, and if you are expecting positive integers (and if you don't feel like throwing an error), use abs(intval($input))
  • sevster
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 518

Post 3+ Months Ago

Your above example uses magic quotes which are not always turned on in every system.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

sevster wrote:
Your above example uses magic quotes which are not always turned on in every system.


Yes, that is why it checks for them.
  • sevster
  • Bronze Member
  • Bronze Member
  • User avatar
  • Posts: 518

Post 3+ Months Ago

Sorry, was a bit tired when I wrote that...didn't read it thoroughly :)
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

I've been in your shoes before.

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: No registered users and 8 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.