Re: strcmp question(Or maybe SQL Injection).

Thu, 14 Aug 2003 11:11:18 -0700

Amir Hardon wrote:

I have a PHP site which uses HTTP user authentication,
I just noticed something wierd at the logs, I saw someone is accessing with username '-', which doesn't exist.
I tried loging in using username '-' with no password and I was in!

The only thing I can think of is that '-' is a special character for strcmp,
here is my authentication function(I removed the database connection part):

function authenticate(){
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
                header('WWW-Authenticate: Basic realm="garin"');
                header('HTTP/1.0 401 Unauthorized');
                echo 'Illegal entrance';
                return FALSE;
        }
        else {
        
$euser=mysql_escape_string(htmlspecialchars($_SERVER['PHP_AUTH_USER'],ENT_QUOTES));;
                $query='SELECT password FROM garin WHERE username=\'' . $euser . '\';';
                $result = mysql_query($query) or die(mysql_error());
                $row= mysql_fetch_array($result,MYSQL_ASSOC);

Which means that if the query returns 0 rows (for example, because the username doesn't exist), $row is empty, no?

                
if(strcmp(htmlspecialchars($_SERVER['PHP_AUTH_PW'],ENT_QUOTES),$row["password"])
                || (strcmp($euser,mysql_escape_string(htmlspecialchars("-")))) ){

Which means that the strcmp has no reason to fail. NULL is implicitly converted into an empty string, IIRC. You should check for NULL return on $row, and fail the authentication.


header('WWW-Authenticate: Basic realm="garin"');
header('HTTP/1.0 401 Unauthorized');
echo "Illegal entrance.";
return FALSE;
}
$query='UPDATE garin SET lastlogin=NOW() WHERE username=\'' . $euser . '\';';
mysql_query($query);
return TRUE;
}
}


=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]





--
Shachar Shemesh
Open Source integration consultant
Home page & resume - http://www.shemesh.biz/



=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to