I am going to add a short addendum to this thread because the code example makes me nervous and I want to be sure that we've properly explained what is happening so that someone doesn't read it and use it the code. This isn't directed so much at the OP, but for anyone who comes along and reads this thread and doesn't fully understand it.
In the original post query, the PHP code had:
Quote:
WHERE Username = '".$_POST['username']."
|
Obviously the intent is to compare the field Username to the value that the client entered. The client data is read through the use of the superglobal $_POST and this example is meant to demonstrate an easy but serious flaw in site design. The superglobal variables contain the text as entered by the client; it has not been filtered. In this example, the exploit short circuits the query with the ' and then adds an OR TRUE statement. Since the latter part becomes true, the query then becomes select the username and password database.
What the tutorial is undoubtedly going to show you is that you need to change how the superglobal data is handled. For example:
Code:
$clientUsername = $_POST['username'];
$clientPassword = $_POST['password'];
(some verification or filtering process)
if (valid)
{
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = $clientUsername and Password = $clientPassword");
}
else
{
//handle bogus data entry
}
Then perform checks on these two fields to verify their legitimacy. This can be handled in several ways and is usually a source of confusion to new PHP programmers. The validations should make sure that it contains only allowed letters, numbers, and symbols, contains no special "escape" sequences, etc, and should also verify and truncate the length to a safe value. This can be done with the filters function, or manually. When possible it is better to compare the user input against expected values and select from those instead of using the input directly. The bottom line is that user input should NEVER be used directly.
In terms of passwords, you should consider using a hash such as an MD5 or SHA1. By saving the hashes, you 1) ensure that only valid alphanumeric values of proper length are stored in your database, 2) don't have the raw passwords for someone to steal, 3) hashing the user input automatically sanitizes it. Just be sure to salt your hash table to thwart the use of rainbow tables.