Topic: "Login..." (page 1 of 1)

1
Author Post
sniperkid
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
didn't know quite where to put this but how easily do u think this could be exploited (this is part of my site btw).

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * From users WHERE username = '$username' AND password = '$password'";

also it sets a cookie with the username and password and everypage that you open is tested to see if it exists and if its correct.

if you want to pm me instead of letting people exploit it ;) then feel free.

Edited by sniperkid on 06.07.2005 11:21:03
private message Website
sebasjm
groupmastergroupmastergroupmastergroupmaster
Hi sniperkid!

I'm not s o good with the exploit it! but I think I can help you, indeed I will try ;)
< :teach: >
First, the best you can do when you use variables by POST, GET, Cookie, etc.... is first ask if they exist like this:

$username = isset($_POST['username'])?$_POST['username']:"";
$password = isset($_POST['password'])?$_POST['password']:"";

so, they 2 vars will always have a value, but they cant have any value!!!

What I would do is to check them for just have chars from A to Z and a to z ( or maybe 0 to 9 too ) and if it doesn't, say to the user that he put bads values. All this checks in in the server, off course.

And for the cookie, I suggest to you to use PHP sessions because you have all the vars in the server side and they ( the users ) can't see any thing except the PHP session ID. Otherwise they can change the value of the vars. ( and you don't have to check if the user exist every time ;) )
< / :teach: >
I hope that it help to you:thumbsup:
And let me know if I made a mistake up there, i'm learning tooo!! LOL

Good Luck!

EDIT: I almost forgot. Here is everything -----> php.net <-----

SebaS!
Edited by sebasjm on 06.07.2005 13:39:41
private message EMail
theblacksheep
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
I would use:

$username = mysql_escape_string ($_POST['username']);
$password = mysql_escape_string ($_POST['password']);

If you do not filter the input it might be possible to inject sql information depending on your php configuration.
private message EMail Website
alt3rn4tiv3
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
I usually check for isset() and empty() first, then I have a function which i always use (for mysql or not):

function aformat($msg) {
$nmsg = urlencode(addslashes(htmlspecialchars(htmlentities($msg))));
return $nmsg;
}

if necessary, i'll add regexp too.
private message EMail Website
diskis
groupmaster
That's pretty much what I usually use... but I do store the hash in the cookie, not the real pass

setcookie("usercookie",$user);
setcookie("passcookie",md5sum($password));

and then check it with:
sanitycheck($_COOKIE["usercookie"] // generalpurpose filter, lets through a..z and 0..9
$result= select password from users where user=$_COOKIE['usercookie']
if (md5sum($result[password]) != $_COOKIE["passcookie"]) { die("don't tamper with your cookies, please") } else { go on with code }

Well, it used to add a bit security, now it's just a nuisanse, after those online reverse lookup tables for md5sums appeared :)
private message EMail Website
brainpower
groupmastergroupmaster
use less common variabls on the serverside (e.g. $uname $pswrd )

private message Website
sniperkid
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
it isn't my site but from what i can understand it sets username = $username and password = $password (varibles are entered values and are not null). And on every page (on a include) bit it checks the database to see if the username and password are correct, if it is then it displays the page if it isn't then it removes the cookie and puts u back to the login page. I was thinking a bit of sql injection for the password field but no success so far. Ill keep trying :devil4:.

private message Website
sebasjm
groupmastergroupmastergroupmastergroupmaster
Hi brainpower

using less common variables will make less readable the source code, i don't think that is a good idea.
maybe denied the access to that vars and checking all the inputs, but that is all about isn't it? :D

bye
private message EMail
brainpower
groupmastergroupmaster
hi sebasjm
yes it will make the source less readable but if the find a bug in the source(example: no correct use of echo() ) thee will not find so easy the vars like your password ore something else

greats Brainpower
private message Website

Topic: "Login..." (page 1 of 1)

1