Programming
Article
By Harry Fuecks

Spot the Security Hole

By Harry Fuecks

If you’ve arrived at this page from the Tech Times newsletter, we apologise. A few of our links went awry. You’re probably after one of the following:

We now return you to our regular program…

Here’s a PHP script:


<?php
# Common include file for MySQL
require("auth_conn_inc_reg.php");

$valid = false;

if (isset($_SERVER['PHP_AUTH_USER']) &&
	isset($_SERVER['PHP_AUTH_PW']) ) {
	
	$sql = "SELECT * FROM users WHERE
		logins='{$_SERVER['PHP_AUTH_USER']}' AND
		password='{$_SERVER['PHP_AUTH_PW']}'";
		
	$mysql_result = mysql_query($sql,$connection);
		
	$num_rows = @mysql_num_rows($mysql_result);
		
	if ( $num_rows != 0 ) {
		$valid = true;
	}
}

if ( !$valid ) {
	header ("WWW-Authenticate: Basic realm="Restricted"");
	header ("HTTP/1.0 401 Unauthorized");
	echo "Authorization required";
	exit();
	
} else {
	
	# Valid user - do stuff here
	
}
?>

Spot the problem?

What gets me depressed about reading this is it’s part of an article in a UK Linux Magazine this month (I’ll leave the name out; it’s otherwise a good magazine). Sure everyone makes mistakes, myself more than a few but this particular example is a classic and part of why PHP gets flak on security.

What’s it going to take to stop this happening over and over in future? Perhaps on http://www.php.net/mysql_query there needs to a big message like “Before you use this function, make sure you read about mysql_escape_string(). And perhaps the page on mysql_escape_string() could do more to explain why it’s important?

Recommended
Sponsors
The most important and interesting stories in tech. Straight to your inbox, daily. Get Versioning.
Login or Create Account to Comment
Login Create Account