Secure Coding mailing list archives

Re: Scripting Languages and Secure Coding + code

From: "Louis Solomon [SteelBytes]" <louis () steelbytes com>
Date: Fri, 05 Dec 2003 15:26:59 +0000

I use the php 4.3.x func mysql_real_escape_string()

eg, $query = 'select * from users where
username="'.mysql_real_escape_string($_REQUEST['username']).'" and password=
....

this way it doesn't matter what the user enters.

also, note that the use of "
eg
if the user enters
    Fred"Joe
then the query would be
    ... username="Fred\"Joe" ...

of course with different DBs, the escaping of chars maybe different.

Louis Solomon
www.steelbytes.com

----- Original Message ----- 
From: "Jeremy Thibeaux" <[EMAIL PROTECTED]>
To: "Ghita Serban" <[EMAIL PROTECTED]>; "SC-L" <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 2:34 AM
Subject: Re: [SC-L] Scripting Languages and Secure Coding + code

Hi Ghita,

First off, thanks for the practical example!

$username=stripslashes(trim($_POST['username']));
$password=stripslashes(trim($_POST['password']));


I am not sure why you "stripslashes" for the user name
and password.  If the slashes are there (due to
magic_quotes being enabled), they will protect you
from the user entering arbitrary SQL code in the input
variable.  If they aren't there, you should consider
adding them using AddSlashes. Given the way you
construct the query (are you missing single quotes
around the variables?):

$select_the_user="SELECT * FROM users WHERE
username=".$username." AND
password=".$password." LIMIT 1";


Imagine if the user entered:

"someuser' OR username ='someuser" for $username.
Your SQL statement would turn out:

SELECT * FROM users WHERE
username='someuser' OR username='someuser' AND
password='whatever' LIMIT 1

Which would always selects the user as long as the
user guessed the username correctly (pw no longer
used).  The slashes give you protection against this
by ensuring that any quotes included in the user's
input are escaped by a slash so that you end up with:

SELECT * FROM users WHERE
username='someuser\' OR username=\'someuser' AND
password='whatever' LIMIT 1

Your intended logic is preserved.

Regarding other questions, I'll let other folks take a
crack.

Jeremy Thibeaux
Lucid Factory, inc.

Current thread:

Re: Scripting Languages and Secure Coding + code, (continued)
- - - Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
    - Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
    - RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
    - Re: Scripting Languages and Secure Coding + code ck (Dec 08)
    - Re: Scripting Languages and Secure Coding + code ck (Dec 08)
    - Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
    - Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
  - Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)
    - Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
    - Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)
    - Re: Scripting Languages and Secure Coding + code Louis Solomon [SteelBytes] (Dec 05)
    - Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
    - Re: Scripting Languages and Secure Coding + code Ghita Gh. Serban (Dec 05)
  - Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding Jeremy Thibeaux (Dec 03)
  - Re: Scripting Languages and Secure Coding Bob Toxen (Dec 04)
    - Re: Scripting Languages and Secure Coding der Mouse (Dec 04)
    - Re: Scripting Languages and Secure Coding Louis Solomon [SteelBytes] (Dec 05)
    - Re: Scripting Languages and Secure Coding ljknews (Dec 06)
    - Re: Scripting Languages and Secure Coding Bob Toxen (Dec 05)
- RE: Scripting Languages and Secure Coding Tegels, Kent (Dec 03)