Solved

is my login script vulnerable to sql injection attacks, if yes, what should i do

Posted on 2007-11-16
3
332 Views
Last Modified: 2013-12-13
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['user'])) {
  $loginUsername=$_POST['user'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "login.php";
  $MM_redirectLoginFailed = "login.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_mine, $mine);
 
  $LoginRS__query=sprintf("SELECT user_name, password, user_id, role, first_name, last_name, company_id, email FROM user WHERE user_name='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
   
  $LoginRS = mysql_query($LoginRS__query, $mine) or die(mysql_error());
  $row_LoginRS = mysql_fetch_assoc($LoginRS);
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
   
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
      $GLOBALS['user1'] = $row_LoginRS['user_id'];      
      $GLOBALS['level'] = $row_LoginRS['role'];
      $GLOBALS['name'] = $row_LoginRS['first_name'];      
      $GLOBALS['lname'] = $row_LoginRS['last_name'];
      $GLOBALS['comp'] = $row_LoginRS['company_id'];      
      $GLOBALS['email'] = $row_LoginRS['email'];
      $GLOBALS['MM_UserGroup'] = $loginStrGroup;           

//register the session variables
session_start();
session_register("MM_Username");
session_register('user1');      
session_register('level');
session_register('name');
session_register('lname');
session_register('comp');
session_register('email');
session_register("MM_UserGroup");
$valid_user = 1;

0
Comment
Question by:jblayney
  • 2
3 Comments
 
LVL 3

Expert Comment

by:kylealanhale
ID: 20299465
Well, you do add slashes, that's good.  The only other thing I would suggest would be to put anything (such as those username and password values) through quick regex check to make sure they only have the characters you want.  Something like
if (!preg_match('/[^\w\d!@#]{6,15}$/', $username)) die('Invalid username.');

Open in new window

0
 
LVL 3

Accepted Solution

by:
kylealanhale earned 200 total points
ID: 20299486
Sorry, small typo; here's a (hopefully) bug free example.  Untested, but the principle is true.  By the way, this checks for a username between 6 and 15 characters long, either a letter or a number, or the character !, @, or #.
if (!preg_match('/^[a-zA-Z\d!@#]{6,15}$/', $username)) die('Invalid username.');

Open in new window

0
 
LVL 1

Author Comment

by:jblayney
ID: 20300081
thank you
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question