Programming - - By Harry Fuecks

Spot the Security Hole

If you’ve arrived at this page from the Tech Times newsletter, we apologise. A few of our links went awry. You’re probably after one of the following:

We now return you to our regular program…

Here’s a PHP script:


<?php
# Common include file for MySQL
require("auth_conn_inc_reg.php");

$valid = false;

if (isset($_SERVER['PHP_AUTH_USER']) &&
	isset($_SERVER['PHP_AUTH_PW']) ) {
	
	$sql = "SELECT * FROM users WHERE
		logins='{$_SERVER['PHP_AUTH_USER']}' AND
		password='{$_SERVER['PHP_AUTH_PW']}'";
		
	$mysql_result = mysql_query($sql,$connection);
		
	$num_rows = @mysql_num_rows($mysql_result);
		
	if ( $num_rows != 0 ) {
		$valid = true;
	}
}

if ( !$valid ) {
	header ("WWW-Authenticate: Basic realm="Restricted"");
	header ("HTTP/1.0 401 Unauthorized");
	echo "Authorization required";
	exit();
	
} else {
	
	# Valid user - do stuff here
	
}
?>

Spot the problem?

What gets me depressed about reading this is it’s part of an article in a UK Linux Magazine this month (I’ll leave the name out; it’s otherwise a good magazine). Sure everyone makes mistakes, myself more than a few but this particular example is a classic and part of why PHP gets flak on security.

What’s it going to take to stop this happening over and over in future? Perhaps on http://www.php.net/mysql_query there needs to a big message like “Before you use this function, make sure you read about mysql_escape_string(). And perhaps the page on mysql_escape_string() could do more to explain why it’s important?

Sponsors
Login or Create Account to Comment
Login Create Account