Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding + code
From: "Louis Solomon [SteelBytes]" <louis () steelbytes com>
Date: Fri, 05 Dec 2003 15:26:59 +0000
I use the php 4.3.x func mysql_real_escape_string() eg, $query = 'select * from users where username="'.mysql_real_escape_string($_REQUEST['username']).'" and password= .... this way it doesn't matter what the user enters. also, note that the use of " eg if the user enters Fred"Joe then the query would be ... username="Fred\"Joe" ... of course with different DBs, the escaping of chars maybe different. Louis Solomon www.steelbytes.com ----- Original Message ----- From: "Jeremy Thibeaux" <[EMAIL PROTECTED]> To: "Ghita Serban" <[EMAIL PROTECTED]>; "SC-L" <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 2:34 AM Subject: Re: [SC-L] Scripting Languages and Secure Coding + code
Hi Ghita, First off, thanks for the practical example!$username=stripslashes(trim($_POST['username'])); $password=stripslashes(trim($_POST['password']));I am not sure why you "stripslashes" for the user name and password. If the slashes are there (due to magic_quotes being enabled), they will protect you from the user entering arbitrary SQL code in the input variable. If they aren't there, you should consider adding them using AddSlashes. Given the way you construct the query (are you missing single quotes around the variables?):$select_the_user="SELECT * FROM users WHERE username=".$username." AND password=".$password." LIMIT 1";Imagine if the user entered: "someuser' OR username ='someuser" for $username. Your SQL statement would turn out: SELECT * FROM users WHERE username='someuser' OR username='someuser' AND password='whatever' LIMIT 1 Which would always selects the user as long as the user guessed the username correctly (pw no longer used). The slashes give you protection against this by ensuring that any quotes included in the user's input are escaped by a slash so that you end up with: SELECT * FROM users WHERE username='someuser\' OR username=\'someuser' AND password='whatever' LIMIT 1 Your intended logic is preserved. Regarding other questions, I'll let other folks take a crack. Jeremy Thibeaux Lucid Factory, inc.
Current thread:
- Re: Scripting Languages and Secure Coding + code, (continued)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)
- Re: Scripting Languages and Secure Coding Bob Toxen (Dec 04)
- Re: Scripting Languages and Secure Coding der Mouse (Dec 04)
- Re: Scripting Languages and Secure Coding Louis Solomon [SteelBytes] (Dec 05)
- Re: Scripting Languages and Secure Coding ljknews (Dec 06)
- Re: Scripting Languages and Secure Coding Bob Toxen (Dec 05)