sql injections

**ravi951** · 08-18-2011, 11:52 AM

hi all,
i have done simple login form with username="admin" and password="admin123".
i am checking for sql injections.i have given "mysql_real_escape_string"
for both username and password fields.
but also it is not working......
if i give username as "admin --" and click the submit button(not giving password also) it is taking to the next page...
tell me whats wrong in my below code.....

Code:

<?php
session_start();
mysql_connect("localhost","root","");
mysql_select_db("test");
if(isset($_POST['sub']))
{
$username=mysql_real_escape_string($_POST['txtuname']);
$password=mysql_real_escape_string($_POST['txtpwd']);
$check=mysql_query("SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username'") or die("Error: " . mysql_error());
while($find = mysql_fetch_array($check)) 
 {
 list($username,$output) = $find;
 }
if($password==$output) 
 { 
$_session['si']=session_id();
echo "<script> location='view1.php'</script>";
 }
else
echo "invalid";
}
?>
<table width="200" height="150" bgcolor="lightblue" border="1" align="center">
<tr><td style="font-size:25;color:red" align="center" colspan="2">Login Form </td></tr>
<form method="post" action="">
<tr><td align="right" width="100">
Username:</td><td><input type="text" name="txtuname" </td></tr>
<tr><td align="right" width="100">
Password:</td><td><input type="password" name="txtpwd" </td></tr>
<tr><td align="right" width="100">
<input type="submit" value="login" name="sub" </td></tr>
</form>
</table>

**bluewalrus** · 08-18-2011, 01:15 PM

This is not a sql injection a sql injection is when someone access your database and changes/destroys/accesses information.

You need to check the password as well in your query, you currently only check the username

PHP Code:


SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username' and `password` = '$password'"

**xtiano77** · 08-20-2011, 12:15 AM

Your SQL statement is missing the password parameter:

PHP Code:


"SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username'"

It should read something like this:

PHP Code:


"SELECT DISTINCT `username`,`password` FROM `log` WHERE username='" . $username . "' AND password = '" . $password . "'"

**traq** · 08-20-2011, 12:25 AM

Originally Posted by xtiano77

Your SQL statement is missing the password parameter:

PHP Code:


"SELECT DISTINCT `username`,`password` FROM `log` WHERE `username`='$username'"

It should read something like this:

PHP Code:


"SELECT DISTINCT `username`,`password` FROM `log` WHERE username='" . $username . "' AND password = '" . $password . "'"

xtiano77,

bluewalrus pointed this out yesterday, in the post above yours. There is no need to mention it again.

**xtiano77** · 08-20-2011, 12:40 AM

I read the post and hit "Q-Reply" and it took me to the box in the bottom so I missed yesterday's reply. Thanks for calling me out like that, very polite of you.

**JShor** · 08-20-2011, 01:16 AM

Hey, everyone makes mistakes.

Thread: sql injections

Thread Tools

Search Thread

sql injections

Bookmarks

Bookmarks

Posting Permissions