[RESOLVED] SQL injection preventing help

fus10n

Okay, so I have a log in and registration code. I am aware they are prone to attack but do not what to do to prevent injections. Any suggestions are appreciated.

<?php
$host="localhost"; // Host name
$username="yourclas_****"; // Mysql username
$password="****"; // Mysql password
$db_name="yourclas_****"; // Database name
$tbl_name="****"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

<?php
include 'dbconnect.php';
$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['first'];
$lastname = $_POST['last'];
$email = $_POST['email'];
$country = $_POST['country'];
$state = $_POST['state'];
$street = $_POST['street'];
$city = $_POST['city'];
$zip = $_POST['zip'];

$result = mysql_num_rows(mysql_query("SELECT * FROM test WHERE username='$username'"));
if($result == 1)
    {
    echo "<h1>ERROR!</h1>The username you have chosen already exists!";
    }
else
        {

    mysql_query("INSERT INTO test (username, password, first, last, email, country, state, street, city, zip) 
VALUES ('$username', '$password', '$firstname', '$lastname', '$email', '$country', '$state', '$street', '$city', '$zip')");

    echo "<p>Congratulations! You have successfully registered!</p>";
}		
?>

johanafm

# Any externally supplied data has to be considered as insecure
# Either use prepared statements - can be done with mysql but not through the
# 		api. Use mysqli instead.
# or use mysql_real_escape_string on strings
# and use explicit casts on other types such as $i = (int) $_POST['int']
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

# Why run stripslashes? If addslashes hasn't been used, stripslashes should (most likely)
# not be used, and certainly not like this, since the user may input
#		username: "jo\e",		password: "123\abc"
# and you store/use "joe" and "123abc" by silently changing user input.
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

# This has nothing to do with SQL injection, but never store passwords in plain text
# If someone does manage to get data from your user table, they get both username and password
# If however you store something like md5($password), the stolen information cannot be used.
# At least not without effort. Also, when deciding on encryption/hashing, also read up on 'salt'
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1)
{
	// Register $myusername, $mypassword and redirect to file "login_success.php"
	session_register("myusername");
	session_register("mypassword");
	# location headers uses absolute URIs. See [url]http://tools.ietf.org/html/rfc2616#section-14.30[/url]
	# and then looking up information within that document on "absoluteURI", most notably
	# "absolute URIs always begin with a scheme name followed by a colon"
	header("location:login_success.php");
	# The user's browser now issues a GET request for [url]http://example.com/login_success.php[/url].
	# If more code is ever added below, should it be run? Else, I personally prefer having an
	# explicit exit after a location redirect.
}
else {
# The user credentials were not correct. If you ever add more code below, it should NOT be
# run on a failed login. As such, I recommend adding an exit after the echo to be dead
# certain no more code is used.
echo "Wrong Username or Password";

# exit!
}
?>

<?php
include 'dbconnect.php';

# If this is login_success.php, there is no post data from the previous script. That script
# told the browser to issue a GET request to this script, which it did. There could be a query
# string, but never any post data. Assuming this is not the case, and that this script is
# actually run by a POST request...

# As in the previous script, use prepared statements or mysqli_real_escape_string on these
$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['first'];
$lastname = $_POST['last'];
# In some cases, you may want to do additional checks and/or sanitizing. For example
# an email address has to follow a specific format. If it doesn't, it's invalid.
# For email address format validation, see: http://code.iamcal.com/php/rfc822/
$email = $_POST['email'];
# Assuming country and state are ids (foreign keys) matching the actual names from the
# country and state tables, use prepared statements or integer cast
$country = $_POST['country'];
$state = $_POST['state'];
# prep or escape
$street = $_POST['street'];
$city = $_POST['city'];
$zip = $_POST['zip'];

# Has nothing to do with SQL injection, but this approach is subject to a race condition
# Let's say you have no user at all, and two people creates their account at the exact same
# time. Both want the account name "joe"
# Both scripts get to this point, and all is well: there is no username='joe' - Yet!
# Then both scripts get to the insert query. One query however, must be run before the
# other, resulting in one user actually creating username "joe", while the other just fails
# while that user gets to read "You succeesfully registered"...
$result = mysql_num_rows(mysql_query("SELECT * FROM test WHERE username='$username'"));
if($result == 1)
{
    echo "<h1>ERROR!</h1>The username you have chosen already exists!";
}
else
{
	mysql_query("INSERT INTO test (username, password, first, last, email, country, state, street, city, zip) 
VALUES ('$username', '$password', '$firstname', '$lastname', '$email', '$country', '$state', '$street', '$city', '$zip')");
        echo "<p>Congratulations! You have successfully registered!</p>";
	}

laserlight

Adding to johanafm's point on stripslashes: set magic_quotes_gpc to off and then don't bother with using stripslashes as you do now.

Given what you have now, I suggest that you write:

$sql = sprintf("SELECT COUNT(*) FROM $tbl_name WHERE username='&#37;s' and password='%s'",
    mysql_real_escape_string($myusername),
    mysql_real_escape_string($mypassword));
$result = mysql_query($sql);
if (mysql_result($result, 0) == 1) {
    // ...

Derokorian

Question why is sprintf and with nested escape_strings better than setting a variable to escape_string? I see it a lot in the better code, and I dont understand how its different than putting a variable set to the same thing there.

fus10n

I think I got it all secure! Thanks for all of your help

bradgrafelman

Derokorian;10977590 wrote:
Question why is sprintf and with nested escape_strings better than setting a variable to escape_string? I see it a lot in the better code, and I dont understand how its different than putting a variable set to the same thing there.

Looks cleaner, and doesn't make you create tons of useless variables that are used once and then sit there wasting memory space.

laserlight

Derokorian wrote:
Question why is sprintf and with nested escape_strings better than setting a variable to escape_string? I see it a lot in the better code, and I dont understand how its different than putting a variable set to the same thing there.

You only need the escaped value in the SQL statement, so it makes sense to do it right there. Keeping the escaping separate from the SQL statement risks forgetting to escape, or using an escaped value when you want the original value.
You can use other format specifiers as needed, e.g., %d to ensure that the value is an integer.