hack by fake SQL statement

wuno

Hello

Here is the code for logging into my website. Is there a way using fake SQL statement to get passed or if the code is 100% secured?

Thanks.

Please note that func_header_location is equivalent to header() and func_query_first is equivalent to db_fetch_array()

Norman

<?php
session_start();

$password = md5($POST('password'));
$username = $POST('username');
if ($SESSION['login'])
func_header_location('main.php');
else{
$sql = "SELECT COUNT(*) FROM auth WHERE username = '$username' AND password = '$password'";
$login = array_pop(func_query_first($sql)) > 0;
if (!$login)
func_header_location('index.htm?error=1');
else{
$SESSION['login'] = $login;
func_header_location('news.php?action=manage_news');
}
}

?>

rincewind456

Read this http://www.unixwiz.net/techtips/sql-injection.html
Then use this mysql_real_escape_string()

bastien

sure....i enter

' or 1=1 --

which creates a sql statement like

SELECT COUNT(*) FROM auth WHERE username = '' or 1=1 -- AND password ='some_md5_string'

The -- dash is sql for ignore the rest of the statement...and since 1=1 is always true it will return a count of at least 1 granting the user access to the system.

A better solution is to regex the name (ie apply a regular expression pattern (^[0-9A-Z]+$) to see if the name is allowable characters (like numbers and letters only), then if it doesn't match you can kick it back the the user to try again. You can also play the same game (if you wish with the password, though it results in a slightly less strong password)

Additionally you should check to see that the row returns only 1 row, assuming that the site is coded to allow only distinct username