Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding + code
From: Jeremy Thibeaux <jeremy.thibeaux () lucidfactory com>
Date: Thu, 04 Dec 2003 19:35:20 +0000
Hi Ghita, First off, thanks for the practical example!
$username=stripslashes(trim($_POST['username'])); $password=stripslashes(trim($_POST['password']));
I am not sure why you "stripslashes" for the user name and password. If the slashes are there (due to magic_quotes being enabled), they will protect you from the user entering arbitrary SQL code in the input variable. If they aren't there, you should consider adding them using AddSlashes. Given the way you construct the query (are you missing single quotes around the variables?):
$select_the_user="SELECT * FROM users WHERE username=".$username." AND password=".$password." LIMIT 1";
Imagine if the user entered: "someuser' OR username ='someuser" for $username. Your SQL statement would turn out: SELECT * FROM users WHERE username='someuser' OR username='someuser' AND password='whatever' LIMIT 1 Which would always selects the user as long as the user guessed the username correctly (pw no longer used). The slashes give you protection against this by ensuring that any quotes included in the user's input are escaped by a slash so that you end up with: SELECT * FROM users WHERE username='someuser\' OR username=\'someuser' AND password='whatever' LIMIT 1 Your intended logic is preserved. Regarding other questions, I'll let other folks take a crack. Jeremy Thibeaux Lucid Factory, inc.
Current thread:
- Re: Scripting Languages and Secure Coding + code, (continued)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)
- Re: Scripting Languages and Secure Coding Bob Toxen (Dec 04)
- Re: Scripting Languages and Secure Coding der Mouse (Dec 04)
- Re: Scripting Languages and Secure Coding Louis Solomon [SteelBytes] (Dec 05)