TalkPHP - View Single Post - How to Login to Any Account on an Insecure Site

Wildhoney · 11-13-2007, 12:35 PM

Well, assuming that GPC magic quotes is disabled - which they will be in the next version of PHP as it is a real annoyance, your login script is quite easy to crack, I'm afraid. With them removing magic quotes all together in PHP6, people really need to get up-to-scratch with the way they do things.

I can by crack your login script by entering a user name like so: 'bleh' /* All this does is ends the user name segment and then comments out the rest of the code.

You may wish to have yourself a read through this article and also use a function, such as the one I used below in a few of my projects:

php Code:

function mysql_parse_value($szValue, $bStripTags = true, $szAllowableTags = null)
{
    if (is_array($szValue))
    {
        return; 
    }
    
    if (get_magic_quotes_gpc())
    {
        $szValue = stripslashes($szValue);
    }
         
    if ($bStripTags)
    {
        $szValue = strip_tags($szValue, $szAllowableTags);
    }
        
    if (!is_numeric($szValue))
    {
     $szValue = "'" . mysql_real_escape_string($szValue) . "'";
    }

    return $szValue;
}

And thus when used in conjunction with the sprintf function. Your MySQL will now look something like this:

php Code:

$sql = sprintf("    SELECT * from com_usr WHERE is_username = %s AND is_password md5(%s) AND active = 1",
                    mysql_parse_value($user),
                    mysql_parse_value($password));

This would make my earlier attempt futile, and in all honesty will just make me end up sat there looking silly. You'd have got one over on me :) ! Moreover, as you're new to TalkPHP, we prefix all our variables by their data-type - this admittedly may seem somewhat confusing to begin with, but please have a read through Bluesaga's article and you'll soon understand. It makes code look a thousand times better.

Last but not least, you're in safe hands with your PHP code now :). Glad to have you here.

11-13-2007, 12:35 PM	#15 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,280 Thanks: 90	Well, assuming that GPC magic quotes is disabled - which they will be in the next version of PHP as it is a real annoyance, your login script is quite easy to crack, I'm afraid. With them removing magic quotes all together in PHP6, people really need to get up-to-scratch with the way they do things. I can by crack your login script by entering a user name like so: 'bleh' /* All this does is ends the user name segment and then comments out the rest of the code. You may wish to have yourself a read through this article and also use a function, such as the one I used below in a few of my projects: php Code: function mysql_parse_value($szValue, $bStripTags = true, $szAllowableTags = null) { if (is_array($szValue)) { return; } if (get_magic_quotes_gpc()) { $szValue = stripslashes($szValue); } if ($bStripTags) { $szValue = strip_tags($szValue, $szAllowableTags); } if (!is_numeric($szValue)) { $szValue = "'" . mysql_real_escape_string($szValue) . "'"; } return $szValue; } And thus when used in conjunction with the sprintf function. Your MySQL will now look something like this: php Code: $sql = sprintf(" SELECT * from com_usr WHERE is_username = %s AND is_password md5(%s) AND active = 1", mysql_parse_value($user), mysql_parse_value($password)); This would make my earlier attempt futile, and in all honesty will just make me end up sat there looking silly. You'd have got one over on me :) ! Moreover, as you're new to TalkPHP, we prefix all our variables by their data-type - this admittedly may seem somewhat confusing to begin with, but please have a read through Bluesaga's article and you'll soon understand. It makes code look a thousand times better. Last but not least, you're in safe hands with your PHP code now :). Glad to have you here. __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.