I recently took over the maintenance of a PHP application, and I'm not very familiar with PHP, but some of the things that I saw on the site make me nervous that it can be vulnerable to SQL injection attacks.
For example, see how this code works to enter the administrative section:
$password = md5(HASH_SALT . $_POST['loginPass']);
$query = "SELECT * FROM `administrators` WHERE `active`='1' AND `email`='{$_POST['loginEmail']}' AND `password`='{$password}'";
$userInfo = db_fetch_array(db_query($query));
if($userInfo['id']) {
$_SESSION['adminLoggedIn'] = true;
// user is logged in, other junk happens here, not important
The creators of the site created the special db_query method and the db_fetch_array method shown here:
function db_query($qstring,$print=0) { return @mysql(DB_NAME,$qstring); }
function db_fetch_array($qhandle) { return @mysql_fetch_array($qhandle); }
Now it makes me think that I can do some kind of SQL injection attack with an email address, for example:
' OR 'x'='x' LIMIT 1;
and some random password. When I use this on the command line, I return the administrative user, but when I try to use it in the application, I get the wrong username and password error, just like me.
- PHP, ? ?
PHP --version:
# php --version
PHP 5.2.12 (cli) (built: Feb 28 2010 15:59:21)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with the ionCube PHP Loader v3.3.14, Copyright (c) 2002-2010, by ionCube Ltd., and
with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies