CODEWITHSUNDEEP
phpmysqlsql-injection
Andrew V
Andrew V

Reputation: 522

Can this php code be sql injected?

I'm trying to learn SQL injection to become a white-hat but I find it quite difficult ...

I found this code on a site and it's told to be a easy-difficulty.

The HTML code has a username ,password boxes and a button.

if(isset($_POST['autentificare']) && $_POST['autentificare']=='OK' && $_POST['admin']!="" && $_POST['adm_password']!="")
{
    $admin=$_POST['admin'];
    $adm_password=$_POST['adm_password'];
    $login="SELECT admin,password FROM owner where admin='".$admin."' AND password='".$adm_password."' ";
    $result_auth=mysql_query($login,$db) or die("Query failed: ".mysql_error()." Actual query: ".$login);
    $user_identity;
    while($dates = mysql_fetch_object($result_auth))
    {
        $user_identity=$dates->admin;
        $password_ident=$dates->password;
    }
    if($result_auth && $user_identity==$admin && $password_ident==$adm_password)
    {
        $_SESSION['adm_username']=$admin;
        $_SESSION['adm_password']=$adm_password;
        $authval="V";
    }
    else
    {
        $authval="D";

    }


}

Upvotes: 0

Views: 91

Answers (3)

Marshall Tigerus
Marshall Tigerus

Reputation: 3764

Obvious problems with the code from a security/sql injection standpoint:

  1. Data isn't cleansed. Anytime you take inputs from a user and process it in a query you want to cleanse it by encoding any special characters. There are a variety of functions that can do this, and since you're a student I'll let you research that bit (learning how to find functions for your purposes is a vital skill in development).

  2. You are not using bound parameters (and you're not using $mysqli which you should be). Bound parameters help build the query in a way that the application knows what sort of inputs to expect. It stops people from sneaking a subquery into your code.

  3. Passwords are being stored in an unencrypted state. Passwords should always be encrypted, so if they are stolen its not as bad as if they were unencrypted.

That should get you started.

Upvotes: 0

Dimitris Papageorgiou
Dimitris Papageorgiou

Reputation: 447

Your best "weapon" against SQL injection is prepared statements. With this way you do not mix code with data...as you do in your queries above.

So of course...you are vulnerable to SQL injection.

By mixing code and data the attacker can send the input in such a way that in effect can alter the form of the query.

Upvotes: 2

Mike
Mike

Reputation: 882

Yes. Your query is SQLi vulnerable. I strongly suggest using PDO. It takes care of escaping queries for you. http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers#Named_Placeholders

Upvotes: 1

Related Questions