\$\begingroup\$
\$\endgroup\$
1
I know about the "little bobby tables" scenario and was just wondering if this code is vulnerable to such SQL injections.
I am fairly new to PHP and am curious about this.
My code for a login script:
<?php
# session
session_start();
# get the variables from login.php
$userid = $_POST["userid"];
$pword = $_POST["pword"];
mysql_real_escape_string($userid);
mysql_real_escape_string($pword);
# query the DB
$query = mysql_query ("
SELECT username
FROM login
WHERE username = '$userid'
AND pword = '$pword';
");
if ($query === FALSE) {
die('There has been an error.<br><br> Please re-enter your Login Details on the <b><a href="login.php">Login</a></b> Page.<br><br>');
}
$result = mysql_fetch_assoc($query);
$record = $result['username'] ;
# valid login
# check if session is operational, if so redirect the user
# to the correct page
if ($record != null) {
$_SESSION['login'] = true;
header( 'Location: index.php' ) ;
}
# invalid login
else if ($record == null) {
echo "
We cant find you on the system.
<br/>
Please return to the <b><a href='login.php'>Login</a></b> page and ensure that
<br/>
you have entered your details correctly.
<br><br>
<b>Warning</b>: You willl be redirected back to the Login Page
<br> in <b> <span id='counter'>10</span> Second(s)</b>";
}
?>
The main reason for asking this is that when I login inputting:
'user'); DROP TABLE Login;--'
it doesn’t drop the table.
My question is: Am I typing in the right SQL injection?
asked Oct 2, 2012 at 9:54
user1662306user1662306
-
\$\begingroup\$ the single quotes around the sql are not used, theyre only there for the purpose of this question \$\endgroup\$user1662306– user16623062012年10月02日 09:55:22 +00:00Commented Oct 2, 2012 at 9:55
2 Answers 2
\$\begingroup\$
\$\endgroup\$
12
This is vulnerable:
mysql_real_escape_string($userid);
mysql_real_escape_string($pword);
does not return the variable. Use:
$userid = mysql_real_escape_string($userid);
$pword = mysql_real_escape_string($pword);
If you really want to take care of all vulnerable SQL injections try to move to PDO. Here is a nice tutorial
answered Oct 2, 2012 at 9:56
-
1\$\begingroup\$ Oops, I didn't notice this in my answer. To add to this one though, you are not dropping the table because the
mysql_*family of functions only execute a single statement, not multiple ones, so anything after the;in your statement (e.g. theDROP TABLE) is ignored. \$\endgroup\$slugonamission– slugonamission2012年10月02日 09:58:48 +00:00Commented Oct 2, 2012 at 9:58 -
\$\begingroup\$ @slugonamission so I was not wrong \$\endgroup\$EaterOfCorpses– EaterOfCorpses2012年10月02日 10:02:59 +00:00Commented Oct 2, 2012 at 10:02
-
\$\begingroup\$ yes, but to get to last
;it will have to pass$useridand$pwordright? \$\endgroup\$Mihai Iorga– Mihai Iorga2012年10月02日 10:04:01 +00:00Commented Oct 2, 2012 at 10:04 -
\$\begingroup\$ @EaterOfCorpses - I never said you were? \$\endgroup\$slugonamission– slugonamission2012年10月02日 10:04:20 +00:00Commented Oct 2, 2012 at 10:04
-
\$\begingroup\$ @slugonamission See my answer I posted just at the same time as you lol \$\endgroup\$EaterOfCorpses– EaterOfCorpses2012年10月02日 10:05:58 +00:00Commented Oct 2, 2012 at 10:05
\$\begingroup\$
\$\endgroup\$
1
The injection doesn't work because mysql_query only does the first query till the ; then it stops so its not possible that way, correct me if I'm wrong.
-
\$\begingroup\$ That's right, but the code is vulnerable to to other SQL injection attacks. \$\endgroup\$bdsl– bdsl2015年02月22日 16:09:54 +00:00Commented Feb 22, 2015 at 16:09
default