Spot the Security Hole

If you’ve arrived at this page from the Tech Times newsletter, we apologise. A few of our links went awry. You’re probably after one of the following:

We now return you to our regular program…

Here’s a PHP script:

# Common include file for MySQL

$valid = false;

if (isset($_SERVER['PHP_AUTH_USER']) &&
	isset($_SERVER['PHP_AUTH_PW']) ) {
	$sql = "SELECT * FROM users WHERE
		logins='{$_SERVER['PHP_AUTH_USER']}' AND
	$mysql_result = mysql_query($sql,$connection);
	$num_rows = @mysql_num_rows($mysql_result);
	if ( $num_rows != 0 ) {
		$valid = true;

if ( !$valid ) {
	header ("WWW-Authenticate: Basic realm="Restricted"");
	header ("HTTP/1.0 401 Unauthorized");
	echo "Authorization required";
} else {
	# Valid user - do stuff here

Spot the problem?

What gets me depressed about reading this is it’s part of an article in a UK Linux Magazine this month (I’ll leave the name out; it’s otherwise a good magazine). Sure everyone makes mistakes, myself more than a few but this particular example is a classic and part of why PHP gets flak on security.

What’s it going to take to stop this happening over and over in future? Perhaps on there needs to a big message like “Before you use this function, make sure you read about mysql_escape_string(). And perhaps the page on mysql_escape_string() could do more to explain why it’s important?