Results 1 to 40 of 67

Thread: [RESOLVED] Re-designing a flash site in (x)html

Threaded View

  1. Oct 12th, 2009, 09:21 PM #11
    kows
    kows is offline
    PowerPoster
    Join Date
    Sep 2003
    Location
    Edmonton, AB, Canada
    Posts
    2,629

    Re: Re-designing a flash site in (x)html

    you're not doing it correctly.

    please actually read my post and look at the example given to correctly implement using this function into your code. you can't just put it inside of your query a bunch of times. you are sanitising user INPUT. you are not sanitising your own code. you sanitise the variables that you cannot predict, or that could potentially contain something harmful. generally, this means ALL input.

    I hope you understand that using mysql_real_escape_string() on your variables does not just "make or break" your script. it does exactly what it says. it escapes a string for any characters that MySQL might be unhappy with. this means quotes and a few other characters (all detailed on the function's page at PHP.net). however, if you don't present an invalid query to MySQL (meaning one that does not need characters escaped), then everything is going to work fine. but, for the code you're running above, you're vulnerable to an SQL injection (quick example in a previous post I've made). if you put the string ' OR 1=1 # in the username field, and anything in the password field, your new SQL query would be:

    select * from users where username='' OR 1=1 #'AND password='whatever' (bolded what our "username" would do to the query)

    of course, this statement is true, because the username can either be an empty string, or 1 can be equal to 1. 1 is always equal to 1, and thus the user would be automatically logged in. note that the hash/pound symbol ("#") is a comment in MySQL (the rest of the stuff making sure the password also matches is simply ignored).

    magic_quotes_gpc will give you some protection against this, but it's a false sense of security and you should really be aware of the problems you are opening yourself up to. if you ran this script on a server without magic_quotes_gpc (which you've said you've now turned off), you would be vulnerable to an attack. instead, you can apply mysql_real_escape_string() to your $username variable, and hash your $password variable (assuming you're using encryption, otherwise, use mysql_real_escape_string() on it as well).

    hope you understood that. if you don't, please ask questions. I hate seeing people struggle.
    Last edited by kows; Oct 12th, 2009 at 09:29 PM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width