Code Forums - View Single Post

DJMaze · 05-03-2005, 07:17 AM

Yeah sorry i didn't give an explanation and actualy was a bit rough on you at 6 AM in the morning after i fixed another website.

Anyway i will provide some background information here which should help you on your way.

PHP Code:


			
$result=mysql_query("SELECT * FROM tutor

  WHERE username='" . $username . "' and password='" . $password . "'");

$username and $password are not checked for right quoting.
This means if i type a password like: 0' UNION SELECT 'something
The actualy SQL query looks like:

Code:

SELECT * FROM tutor WHERE username='foo' and password='0' UNION SELECT 'something'

As you can see anyone can manipulate the SQL queries.
To get around this use

PHP Code:


			
$username = mysql_real_escape_string($username);

I do notice now that you fixed $_REQUEST["username"] into $_POST["username"]

$_REQUEST can be either a $_POST (form post method), a $_GET (index.php?getkey=value or form get methof) or a $_COOKIE
It's the same bad thing as register_globals.

"register_globals" is an php.ini setting that copies all "request" variables (get, post cookie) to the global scope of your php documents.
For example i ask a page "index.php?username=foo&password=bob" then inside your document the following is works:

PHP Code:


			
<?php

echo "Your username is $username\n";

echo "Your password is $password\n";

this will outpur

Code:

Your username is foo
Your password is bob

In the above code you use

PHP Code:


			
if($_POST["username"])

{

  $username=$_POST["username"];

  $password=$_POST["password"];  

}

elseif($_SESSION["username"])

{

  $username=$_SESSION["username"];

  $password=$_SESSION["password"];

}

But there's no checking on the register_globals so if i set the "username" and "password" in a different way then you want it to i can still get in.
So the correct coding would be more like:

PHP Code:


			
if($_POST["username"])

{

  $username=$_POST["username"];

  $password=$_POST["password"];

}

elseif($_SESSION["username"])

{

  $username=$_SESSION["username"];

  $password=$_SESSION["password"];

}

else

{

  $username='';

  $password='';

}

this way you are 100% certain they are not trying to get around your requests

05-03-2005, 07:17 AM	#16 (permalink)
DJMaze Senior Contributor Join Date: Mar 2005 Posts: 701	Yeah sorry i didn't give an explanation and actualy was a bit rough on you at 6 AM in the morning after i fixed another website. Anyway i will provide some background information here which should help you on your way. PHP Code: `$result=mysql_query("SELECT * FROM tutor WHERE username='" . $username . "' and password='" . $password . "'");` $username and $password are not checked for right quoting. This means if i type a password like: 0' UNION SELECT 'something The actualy SQL query looks like: Code: SELECT * FROM tutor WHERE username='foo' and password='0' UNION SELECT 'something' As you can see anyone can manipulate the SQL queries. To get around this use PHP Code: `$username = mysql_real_escape_string($username);` I do notice now that you fixed $_REQUEST["username"] into $_POST["username"] $_REQUEST can be either a $_POST (form post method), a $_GET (index.php?getkey=value or form get methof) or a $_COOKIE It's the same bad thing as register_globals. "register_globals" is an php.ini setting that copies all "request" variables (get, post cookie) to the global scope of your php documents. For example i ask a page "index.php?username=foo&password=bob" then inside your document the following is works: PHP Code: `<?php echo "Your username is $username\n"; echo "Your password is $password\n";` this will outpur Code: Your username is foo Your password is bob In the above code you use PHP Code: `if($_POST["username"]) { $username=$_POST["username"]; $password=$_POST["password"]; } elseif($_SESSION["username"]) { $username=$_SESSION["username"]; $password=$_SESSION["password"]; }` But there's no checking on the register_globals so if i set the "username" and "password" in a different way then you want it to i can still get in. So the correct coding would be more like: PHP Code: `if($_POST["username"]) { $username=$_POST["username"]; $password=$_POST["password"]; } elseif($_SESSION["username"]) { $username=$_SESSION["username"]; $password=$_SESSION["password"]; } else { $username=''; $password=''; }` this way you are 100% certain they are not trying to get around your requests