Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scripting Languages and Secure Coding + code

From: Jeremy Thibeaux <jeremy.thibeaux () lucidfactory com>
Date: Thu, 04 Dec 2003 19:35:20 +0000
Hi Ghita,

First off, thanks for the practical example!


$username=stripslashes(trim($_POST['username']));
$password=stripslashes(trim($_POST['password']));


I am not sure why you "stripslashes" for the user name
and password.  If the slashes are there (due to
magic_quotes being enabled), they will protect you
from the user entering arbitrary SQL code in the input
variable.  If they aren't there, you should consider
adding them using AddSlashes. Given the way you
construct the query (are you missing single quotes
around the variables?):


$select_the_user="SELECT * FROM users WHERE
username=".$username." AND
password=".$password." LIMIT 1";


Imagine if the user entered:

"someuser' OR username ='someuser" for $username. 
Your SQL statement would turn out:

SELECT * FROM users WHERE
username='someuser' OR username='someuser' AND
password='whatever' LIMIT 1

Which would always selects the user as long as the
user guessed the username correctly (pw no longer
used).  The slashes give you protection against this
by ensuring that any quotes included in the user's
input are escaped by a slash so that you end up with:

SELECT * FROM users WHERE
username='someuser\' OR username=\'someuser' AND
password='whatever' LIMIT 1

Your intended logic is preserved.

Regarding other questions, I'll let other folks take a
crack.

Jeremy Thibeaux
Lucid Factory, inc.
Previous By Date Next
Previous By Thread Next

Current thread: