Hacking the user password

sarahk

Ages ago someone posted a message warning about a hack on password which can be used to break into sites which need a login.

It worked on the basis that after attempting to login they would be validated by

$sqlstring = "select count(*) from users where name = '$name' and password = '$pass'";

The hack was to put something like "' and ''='" into the password and the way to foil them was to ...?

Can anyone remember this. Did anyone implement the fix successfully? I figured that because we had the archives I'd be able to find it again but sadly, no.

[deleted]

the fix would be to put addslashes() around your $vars in the sql query.

You could probably exploit it something like this:

$pass = "' OR name='username i wanna login as' OR pass='";

I've never tried it though, but I don't see why it wouldn't work. The thing is that the person who's exploiting it has to know a bit about your db to get it to work.

scoppc

I think by using
htmlspecialchars($input, ENT_QUOTES);
will solve the problem.

Recent article about this can be found at http://www.webmasterbase.com/article/794
They call it SQL Injection Attacks.

Anon

Do a search on Google for "SQL Injection".

All you really need to do is validate all the values that are submitted from a form by a POST or GET (which you should always do anyway). A value which enters your script from any outside source is considered "tainted". Search Google for "variable untainting php" or something similar.

[deleted]

htmlspecialchars() is translates characters like <> to > and < which is not always desirable, usually isn't in everything I've written, I've found addslashes() to be pretty much binary, (I've stored gif's in the db before with it)