How dangerous is this PHP code?

Question

How dangerous is this PHP code?

How dangerous is this PHP code? What can be done about this?

$name = $_POST["user"];
$pwd = $_POST["pwd"];
$query = "SELECT name,pwd FROM users WHERE name = '$name' AND pwd = '$pwd'";

+3

security php sql-injection

Albionalbino Mar 6 '09 at 18:51

source share

13 answers

:

+14

cherouvim 06 . '09 19:35

, $query SQL.

+13

Oliver N. 06 . '09 18:57

SQL Injection , , , .

+12

cagcowboy 06 . '09 18:55

0';drop table users;--

select name, pwd form users where name='0'; 
drop table users; --'and pwd = '[VALUE OF PWD]'

, , , .

mysql php sql, - .

PDO . , , Google.

+3

Aaron 06 . '09 19:02

SQL, , :

, "Guillaume François Antoine, Marquis de LHospital". , , , !

PDO :

$query = sprintf(
                   "SELECT 1 FROM users WHERE name = '%s' AND password = '%s'",
                   mysql_real_escape_string($_POST['name']),
                   mysql_real_escape_string(md5($_POST['password']))
                 );

+3

Patrick Glandien 06 . '09 19:03

, ... magic_quotes_gpc . PHP6, .

+2

Powerlord 06 . '09 19:27

$_POST['user'] = "' or 1=1; --";
$_POST['user'] = "'; DROP TABLE user; --"; (?)
$name , XSS-

+1

Hugh Bothwell 06 . '09 20:20

: , SQLInjection. , , - : ' drop $username; . .

0

Pooria 06 . '09 18:55

, , . .

($ name $pwd). SQL . SQL .

0

Brian Lyttle 06 . '09 18:56

. MD5 .
1) 2) , //

- , , A-Za-z0-9 , , ( , * 's, <' s, > ).

0

Brian 06 . '09 18:58

, - PDO. PHP PDO

0

Andrew Clark 06 . '09 18:59

SQL, mysql_real_escape_string.

, . :

function saltedHash($data, $hash=null)
{
    if (is_null($hash)) {
        $salt = substr(md5(uniqid(rand())), 0, 8);
    } else {
        $salt = substr($hash, 0, 8);
    }
    $h = $salt.md5($salt.$data);
    if (!is_null($hash)) {
        return $h === $hash;
    }
    return $h;
}

:

$query = 'SELECT pwd FROM users WHERE name = "'.mysql_real_escape_string($_POST['user']).'"';
$res = mysql_query($query);
if (mysql_num_rows($res)) {
   $row = mysql_fetch_assoc($res);
   if (saltedHash($_POST["pwd"], $row['pwd'])) {
       // authentic
   } else {
       // incorrect password
   }
} else {
   // incorrect username
}

0

Gumbo 06 . '09 19:35

Jeremiah · Accepted Answer · 2009-03-06T18:55:26+0000

Possible problems:

SQL injection
XSS Injection (if this code was an insert request, that would be a definite problem)
Plain text password

Your SQL statement may be problematic. It’s bad practice to leave yourself open for SQL injection.

SQL Injection Error . Believe me.

If you want to display $ user on an HTML page, you may not want to enable the ability to “hack” your layout by typing commands, for example

<H1>HI MOM</H1>

or a bunch of javascript .

, ( cagcowboy!). , ( ) . .

:

// mostly pulled from http://snippets.dzone.com/posts/show/2738
function MakeSafe($unsafestring) 
{
    $unsafestring= htmlentities($unsafestring, ENT_QUOTES);

    if (get_magic_quotes_gpc()) 
    { 
        $unsafestring= stripslashes($unsafestring); 
    }

    $unsafestring= mysql_real_escape_string(trim($unsafestring));
    $unsafestring= strip_tags($unsafestring);
    $unsafestring= str_replace("\r\n", "", $unsafestring);

    return $unsafestring;
} 

// Call a function to make sure the variables you are 
// pulling in are not able to inject sql into your 
// sql statement causing massive doom and destruction.

$name = MakeSafe( $_POST["user"] );
$pwd = MakeSafe( $_POST["pwd"] );

// As suggested by cagcowboy: 
// You should NEVER store passwords decrypted.
// Ever.  
// sha1 creates a hash of your password
// pack helps to shrink your hash
// base64_encode turns it into base64
$pwd = base64_encode(pack("H*",sha1($pwd)))

How dangerous is this PHP code?

More articles: