1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Sql injection

Discussion in 'Security' started by candle21428, Nov 2, 2006.

0
  1. #1
    Hi there,

    I have bought the following code from a programmer a couple of months ago and I realized the code may lead to very serious sql injection problem (I am a newbie, so not very sure about that).

    Here is the form on my admin page:
     <form method="POST" action="login.php">
                    <tr>
                      <td width="100%" colspan="2">
                        <p align="center"><b>Login Here</b></td>
                    </tr>
                    <tr>
                      <td width="100%">User Name </td>
                      <td width="50%">
                        <input type="text" name="user" size="20" class="text"></td>
                    </tr>
                    <tr>
                      <td width="100%">Password</td>
                      <td width="50%">
                        <input type="password" name="pw" size="20" class="text">
    PHP:
    and here is the code on the login.php

    session_start();
	
	$Sql="Select * from admin where username='$user' and password='$pw'";
	$result=mysql_query($Sql,$conn);
	$lo=mysql_num_rows($result);
		if($lo >=1){
					session_register("whosin_admin");
			$whosin_admin=$un;
			header("Location: home.php");
			}else{
				header("Location: index.php?err=1");
				}
			?>
    PHP:
    It seems that there is no filter to prevent sql injection at all. What should I do to make this login process secure?

    I have read a few articles on google and some said that it would be useful to use "mysql_escape_string" for the input, but what is a proper way of using it?

    Questions:

    1) Do I simply use mysql_escape_string($user) instead of $user?
    2) Is there any other code I could add to make it more secure?
    3) People always said that it is better to turn the global register off. Is session_start(); or all those session variable considered to be global register? How can I transfer data between pages if I don't use session?
    4) Is there any other web sites where I can learn more about the web site security?

    Thx in advance.
     
    candle21428, Nov 2, 2006 IP
  2. edD

    edD Peon

    Messages:
    146
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Things that could come from the user(in this case) or could be tampered with should pretty much never be used in a DB query as-is.
    Here's how you could escape the two values before using them in the query.

    
<?php

session_start();

$escUser = mysql_real_escape_string($_POST['user'], $conn);
$escPw   = mysql_real_escape_string($_POST['pw'], $conn);

$Sql="Select * from admin where username='$escUser' and password='$escPw'";

if (!$result = mysql_query($Sql, $conn) )
{
    // handle query error;
}

if(mysql_num_rows($result) >=1)
{   
    // where's $un coming from?  Don't rely on register globals...use $_POST or $_GET
    // Also $_SESSION is better than session_register()
    $_SESSION['whosin_admin'] = $un;

    header("Location: home.php");
}
else
{
    header("Location: index.php?err=1");
}

// should call exit after sending Location header
exit;

?>
    PHP:
    It would also be helpful to write a validation function to validate $user and $pw, to make sure that they match a general pattern before even going on to the DB part.

    Good PHP security site:
    http://shiflett.org/articles/security-corner-apr2004
     
    edD, Nov 3, 2006 IP