Log in

View Full Version : sql injections


ravi951
08-18-2011, 11:52 AM
hi all,
i have done simple login form with username="admin" and password="admin123".
i am checking for sql injections.i have given "mysql_real_escape_string"
for both username and password fields.
but also it is not working......
if i give username as "admin --" and click the submit button(not giving password also) it is taking to the next page...
tell me whats wrong in my below code.....


<?php
session_start();
mysql_connect("localhost","root","");
mysql_select_db("test");
if(isset($_POST['sub']))
{
$username=mysql_real_escape_string($_POST['txtuname']);
$password=mysql_real_escape_string($_POST['txtpwd']);
$check=mysql_query("SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username'") or die("Error: " . mysql_error());
while($find = mysql_fetch_array($check))
{
list($username,$output) = $find;
}
if($password==$output)
{
$_session['si']=session_id();
echo "<script> location='view1.php'</script>";
}
else
echo "invalid";
}
?>
<table width="200" height="150" bgcolor="lightblue" border="1" align="center">
<tr><td style="font-size:25;color:red" align="center" colspan="2">Login Form </td></tr>
<form method="post" action="">
<tr><td align="right" width="100">
Username:</td><td><input type="text" name="txtuname" </td></tr>
<tr><td align="right" width="100">
Password:</td><td><input type="password" name="txtpwd" </td></tr>
<tr><td align="right" width="100">
<input type="submit" value="login" name="sub" </td></tr>
</form>
</table>
bluewalrus
08-18-2011, 01:15 PM
This is not a sql injection a sql injection is when someone access your database and changes/destroys/accesses information.

You need to check the password as well in your query, you currently only check the username



SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username' and `password` = '$password'"
xtiano77
08-20-2011, 12:15 AM
Your SQL statement is missing the password parameter:



"SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username'"

It should read something like this:


"SELECT DISTINCT `username`,`password` FROM `log` WHERE username='" . $username . "' AND password = '" . $password . "'"
traq
08-20-2011, 12:25 AM
Your SQL statement is missing the password parameter:



"SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username'"

It should read something like this:


"SELECT DISTINCT `username`,`password` FROM `log` WHERE username='" . $username . "' AND password = '" . $password . "'"

xtiano77,

bluewalrus pointed this out yesterday, in the post above yours. There is no need to mention it again.
xtiano77
08-20-2011, 12:40 AM
I read the post and hit "Q-Reply" and it took me to the box in the bottom so I missed yesterday's reply. Thanks for calling me out like that, very polite of you.
JShor
08-20-2011, 01:16 AM
Hey, everyone makes mistakes.