SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict
    Join Date
    Jan 2007
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Protecting against SQL Injection

    I am not sure if my sql in the following script is injectable.

    The user logs in via this form

    Code:
    <form action="processlogin.php" method="post" class="forms">
    <fieldset>
      <legend>User Login</legend>
    
    <p class="pform">
    <label for="username">Username:</label>
    	<input type="text" name="username" class="text">
    </p>
    <p class="pform">
    <label for="username">Password:</label>
    	<input type="password" name="password" class="text">
    </p>
    	<input type="submit" name="submit" value="Login" class="submit">
    	</fieldset>
    	</form>

    They then get taken to this page where the page query's my database. The user registration is only done my be so i have total control on what username and passwords are.


    Code:
    <?PHP
    date_default_timezone_set('UTC') ;
    $username = ($_POST['username']);
    $password = ($_POST['password']);
    $encrypted_password=md5($password);
    $t=time();
    $timestamp =(date("l F jS Y  H:i:a",$t));
    //check that the user is calling the page from the login form and not accessing it directly
    //and redirect back to the login form if necessary
    if (!isset($username) || !isset($password)) {
    header( "Location: /" );
    }
    //check that the form fields are not empty, and redirect back to the login page if they are
    elseif (empty($username) || empty($password)) {
    header( "Location: /" );
    }
    //check that the form fields are only alphanumeric charecters
    elseif (ctype_alnum($username) || ctype_alnum($password)) {
    header( "Location: /" );
    }
    else{
    //create or open database
    $db = sqlite_open("mydatbase adresss") or die("failed to open the database");
    //get info
    $result = sqlite_query($db, "SELECT name, username, timestamp, logincount FROM tbllogin where username = '$username' and password = '$encrypted_password'");
    If i have a problem what is my best for m of defence or have i done enough?? Also could someone please explain the best way to defend against sql injection???


    Cheers

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,401
    Mentioned
    147 Post(s)
    Tagged
    4 Thread(s)
    ...where username = '" . mysql_real_escape_string($username). "'...

    http://www.php.net/manual/en/functio...ape-string.php

  3. #3
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Only in the case of username and password (login form) md5() encryption is enough. But if you have other some long forms and form elements you should go better use mysql_real_escape_string() function.

    And try to read this page if you have time:
    http://www.sitepoint.com/article/php-security-blunders
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  4. #4
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,401
    Mentioned
    147 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by rajug View Post
    Only in the case of username and password (login form) md5() encryption is enough.
    In the case of the password, md5 encryption is enough. No need to real_escape it.
    But the username should not be used in a query just like that. It's user input, it must be passed through mysql_real_escape_string.

  5. #5
    Team SitePoint santouras's Avatar
    Join Date
    Jul 2006
    Location
    planet earth
    Posts
    273
    Mentioned
    10 Post(s)
    Tagged
    0 Thread(s)
    the best thing to do is to switch to using a database class abstraction layer that includes escaping through variable replacement. I use Zend_Db as part of the Zend Framework and it allows me to write safer, cross database queries that I can be confident are non-injectable
    my utility belt tells me its to the bar batman

    read the manual then google it then do a search THEN post....

  6. #6
    SitePoint Addict
    Join Date
    Jan 2007
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have done this but am not sure if its correct.

    Code:
    $result = sqlite_query($db, "SELECT name, username, timestamp, logincount FROM tbllogin where username = '$username' and password = '$encrypted_password'");
    sqlite_escape_string($username),
    Is this the best way to do implement it???

  7. #7
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,401
    Mentioned
    147 Post(s)
    Tagged
    4 Thread(s)
    It's a php command, so you can use it for sure. I don't know if the result is something sqlite compatible, but i think so.

  8. #8
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Struggling View Post
    I have done this but am not sure if its correct.

    Code:
    $result = sqlite_query($db, "SELECT name, username, timestamp, logincount FROM tbllogin where username = '$username' and password = '$encrypted_password'");
    sqlite_escape_string($username),
    Is this the best way to do implement it???
    No! Much better is to use PDO and prepared statements:

    PHP Code:
    $dbh = new PDO("sqlite:/path/to/database");
    $sth $dbh->prepare("SELECT name, username, timestamp, logincount FROM tbllogin where username = ? and password = ?");
    $sth->execute(array($usernamemd5($password)));
    $data $sth->fetch(); 

  9. #9
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    md5() encryption may be enough to protect against injection attacks, but it certainly isnt enough to make your password secure. Simply md5'ing a password is next to useless. You need a custom hashing function with a server salt and/or user salt (user salt is better if you are just using 1 of these) to make the password storage secure.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •