TalkPHP - View Single Post - How to Login to Any Account on an Insecure Site

Salathe · 09-20-2007, 09:49 AM

Tanax, in your example the password is sent in a POST request (from a form) and fed (via mysql_escape_string) directly into the query. There are a couple of problems with that SQL query. Firstly, there are no quotes around where the password will go (... WHERE `pass` = '%s') -- unless all of your passwords are numbers, that will cause problems. Secondly, you compare the pass column in the database directly to the string sent through the POST request. You should never, ever, store passwords exactly as they are entered into forms (in "plain text"). Wildhoney has written about salting password hashes, as well as one soon to be released on dynamic salting. Finally, your query would be useless in any real terms because it would return a result if any password in the table matched what was POSTed. You must always match it against a parameter unique to each individual (user id number or similar). Oh, and you should use sprintf to "print to a string" rather than the printf that you have there.

All that said, as far as "protecting" the actual value passed from POST that is a good start.

09-20-2007, 09:49 AM	#7 (permalink)
Salathe Moderateur Join Date: Apr 2007 Posts: 1,393 Thanks: 5	Tanax, in your example the password is sent in a POST request (from a form) and fed (via mysql_escape_string) directly into the query. There are a couple of problems with that SQL query. Firstly, there are no quotes around where the password will go (... WHERE `pass` = '%s') -- unless all of your passwords are numbers, that will cause problems. Secondly, you compare the `pass` column in the database directly to the string sent through the POST request. You should never, ever, store passwords exactly as they are entered into forms (in "plain text"). Wildhoney has written about salting password hashes, as well as one soon to be released on dynamic salting. Finally, your query would be useless in any real terms because it would return a result if any password in the table matched what was POSTed. You must always match it against a parameter unique to each individual (user id number or similar). Oh, and you should use `sprintf` to "print to a string" rather than the printf that you have there. All that said, as far as "protecting" the actual value passed from POST that is a good start.