NYCPHP Meetup

NYPHP.org

[nycphp-talk] (no subject)

csnyder chsnyder at gmail.com
Mon Jul 2 12:05:09 EDT 2007


On 7/1/07, tuon1 at netzero.net <tuon1 at netzero.net> wrote:
>
>     $LoginName     = $_POST['Username']; //Get user id from the login form
>     $LoginPass     = $_POST['Password']; //Get user password from the login
> form
>
>
>       //Search in a table for valid users: Customer_Table
>       $Query = "SELECT `LoginNameCol`, `PasswordCol` FROM `Customer_Table`
>       WHERE `LoginNameCol` = '$LoginName' AND
>       `PasswordCol` = '$LoginPass' ";
>       $Result = mysql_query($Query);

Unfortunately your script allows anyone to log in, because you're not
escaping user input before sending it to MySQL.

If $_POST['Password'] is "foo' OR '1'='1", the query will always
return a result, and the user will be logged in.

Please always remember to use mysql_real_escape_string() on
user-submitted values before using them in a MySQL query.

Perhaps your application is deployed in an environment that has
magic_quotes turned on, in which case it won't be vulnerable to the
example attack, but it is considered bad form to rely on that feature.

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list