How do I prevent wildcard...

AV1611

I have a small database web app and what I am trying to do is add some simple security to it. below is a snippet of the security part of the script, that require a userID and password to be entered into a form before the edit form is displayed. It works great, except for one BIG PROBLEM: If you enter "%" for password, the wildcard satisfies the USERID or PASSWORD check in the Users Database... How do I prevent this?????

<<<snip>>>

$result0 = mysql_query
("SELECT * FROM Users WHERE USERID == '$UserID'");
IF ($row=mysql_fetch_array($result0))
{$password = $row["password"];
If $pass == $password
{
IF ($row=mysql_fetch_array($result0))
{
IF ($row=mysql_fetch_array($result))
INCLUDE("ALREADY.PHP");
ELSE
{
MySQL_Query("insert into lbryperm
(TEK_PART_NUMBER,DATE_PART_ENTERED) values
('$EDITPARTNO','$date')");
MySQL_Query("insert into ADDLOG
(TEK_PART_NUMBER,UserID,TIME) values
('$EDITPARTNO','$UserID','$date')");
INCLUDE("editnew.html");
}
}
}
ELSE
{
print "SORRY, YOU ARE NOT AUTHORIZED ADD PARTS";
INCLUDE("UNAUTHORIZEDa.PHP");
}
<<<snip>>>

devinemke

your query should be:

SELECT * FROM Users WHERE userid = '$UserID' AND password = '$pass'

AV1611

That is what I did to begin with, but the % wildcard still works... I made it the way it is now trying to fix it...

Someone suggested Hashes, but I don't know how to do that...

bjwilke

Convert the passwords into [man]md5[/man] or [man]sha1[/man]-hashes before storing them into the Database.
For the validation you need to convert the user-input before comparing it with the DB-content, but that's a tad obvious.

AV1611

Can you give me a very basic example of how to create the hash, then how to decrypt the hash?

I know that makes me look real lazy, but I am a newbie!!!

bjwilke

The point of hashes is that they're not decodeable. The functions to use are either MD5 (for the older system) or SHA1 (for a more recent hash) to encode the plaintext passwords.

So what you do is, you store the passwords in hashed form in the DB. Yes, that means that you will never know the passwords of the users. Yes, that also means that you have to supply a function that resets the users password in the DB.

In the script you only have to see that you encode the provided password everytime before you do anything with it, be it storing into the DB or comparing it with the DB-content.

Best to take devinemke's example:

$pass = sha1($password);
$sql = "SELECT * FROM Users WHERE userid = '{$UserID}' AND password = '{$pass}'";