php-windows Digest 23 Apr 2010 17:41:20 -0000 Issue 3796

[php-windows-digest-help]

php-windows Digest 23 Apr 2010 17:41:20 -0000 Issue 3796

Topics (messages 30044 through 30047):

Re: Problem with php and MySQL: inserting strings into database
        30044 by: Warren Vail
        30045 by: Toby Hart Dyke

proofing login success using sessions
        30046 by: Alexander Schunk
        30047 by: Warren Vail

Administrivia:

To subscribe to the digest, e-mail:
        php-windows-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-windows-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-wind...@lists.php.net


----------------------------------------------------------------------

--- Begin Message ---

You have just done two things that make your site vulnerable to hacks.

Register globals means that someone can load a copy of your form to their
machine, modify it to include variables that you use internally like
$user_type = "admin" (or whatever) and post their form to your site, and
even though user_type wasn't on your form, your program has no idea that it
came from his.

Second is the hack known as SQL injection, sticking a "); in a form control
and adding the following text;

update user_table set password=MD5("my password");

this will change all user passwords to his value.

Best way I know of to protect against this is wrap the form references in
putting together your sql query with the function;

mysql_real_escape_string();

this should properly escape all sensitive characters and prevent visitors
from using sql injection to do something different that your code was
supposed to do.

My 2 cents,

Warren Vail
Vail Systems Technology

-----Original Message-----
From: Alexander Schunk [mailto:asch...@gmail.com] 
Sent: Thursday, April 22, 2010 10:34 PM
To: php-wind...@lists.php.net
Subject: [PHP-WIN] Problem with php and MySQL: inserting strings into
database

Hello,

i have a problem with php and mysql when inserting strings into a database.

I have the following syntax:

$sqlinsert = "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I want to read entries from an HTML form into a database.

When to use backticks in MySQL and what is this syntax: " '

I am getting an unexpected T_STRING ....  error.

I am using php, mysql with xampp on windows xp.

In php.ini i have turned register_globals = on.

thank you.

yours sincerly
Alexander

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---

--- Begin Message --- Apart from Warren's excellent advice, the source of your problem is things like this:

'$_POST['vorname']'

How is PHP supposed to know that this is nested parentheses? You should have done it like this:

"$_POST['vorname']"

Though of course, follow Warren's advice, and don't do it like this at all ;-)

  Toby

On 4/23/2010 6:34 AM, Alexander Schunk wrote:

Hello,

i have a problem with php and mysql when inserting strings into a database.

I have the following syntax:

$sqlinsert = "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I am getting an unexpected T_STRING ....  error.

--- End Message ---

--- Begin Message ---

Hello,

i have certain fields in a database including username and passwort.

The username and passwort are in the first two fields of the database.

Now, on the login page, i want to check the username and passwort
provided by the
user with the values in the database.

I have  the following code:

while($row = mysql_fetch_row($ergebnis)){

      if(($benutzername == $row[0]) && ($pass == $row[1])){
         echo '<p>Sie haben sich erfolgreich angemeldet.</p>';
         echo '<a href="willkommen.html">Willkommen</a>';
       }
       else if($benutzername != $row[0]){
         echo '<p>Fehler bei Anmeldung. Sie haben einen falschen
Benutzernamen eingegeben.</p>';
         die("Fehler bei Anmeldung");
       }
       else if($pass != $row[1]){
         echo '<p>Fehler bei Anmeldung. Sie haben ein falsches
Passwort eingegeben.</p>';
         die("Fehler bei Anmeldung");
       }
       else if(($benutzername != $row[0]) && ($pass != $row[1])){
         echo '<p>Fehler bei Anmeldung.</p>';
         die("Fehler bei Anmeldung");

       }

       else{
        echo '<p>Sie müssen sich mit Benutzernamen und Passwort anmelden.</p>';
       }
      }

The thing is that i use a loop to go through all rows in the database
and then compare the values
provided in the HTML form the ones standing in the database.

Since the user may provide wrong data i have these four scenarios.

The problem now is that i it dont gets into the first case - that is
username and passwort match.

I only get into cases two and three.

thank you.

Alexander

--- End Message ---

--- Begin Message ---

Alexander,

I'm sorry if this sounds like I'm picking on you, but there are a couple of
things you might consider.  If someone can somehow get hold of your table
they've got all the passwords for all your users.

A second item is if your use of positional references when linking to
columns in the table.  If other developers are likely to come along behind
you just might be tempted to reorganize the columns in this table for some
reason or another, possibly even a valid reason, and it potentially breaks
your code.  The order of data in the row array is determined by the order of
the column names in your select statement, but if you have not specified the
column names in your select (as in select * ) the order is usually
determined by the order that they are defined in the table.  I even
understand this is handled differently by different DB's, especially when
columns are added to a definition via the alter statement, in that some will
return the columns with all the new ones at the end, while others will
return them with the use the positioning options in the alter statements to
determine where the colums go.

I tend to use mysql_fetch_assoc, just to make sure that the columns don't
get rearranged on me, by other well intentioned developers.

To the first point, what I usually do is store the encrypted password in the
DB, then when the user logs on, I encrypt their input, then pass the
encrypted version in my query;

$query = "Select 1 from user_table where username = \"".$formuser."\" and
password = \"".MD5($formpswd)."\" ";

This means that even you don't know the password unless you go to a lot of
trouble, or you typed it in for the user during setup.

I use MD5 encryption in most cases for several reasons;
1. there is no easy way to decrypt the value.
2. even though I haven't used it, I believe it may be available as a
javascript or html function, so that if you setup your logon form as http:
reference, that piece of data always travels across the internet encrypted,
never unencrypted.

Good luck, 

Warren Vail
Vail Systems Technology

-----Original Message-----
From: Alexander Schunk [mailto:asch...@gmail.com] 
Sent: Friday, April 23, 2010 8:39 AM
To: php-wind...@lists.php.net
Subject: [PHP-WIN] proofing login success using sessions

Hello,

i have certain fields in a database including username and passwort.

The username and passwort are in the first two fields of the database.

Now, on the login page, i want to check the username and passwort
provided by the
user with the values in the database.

I have  the following code:

while($row = mysql_fetch_row($ergebnis)){

      if(($benutzername == $row[0]) && ($pass == $row[1])){
         echo '<p>Sie haben sich erfolgreich angemeldet.</p>';
         echo '<a href="willkommen.html">Willkommen</a>';
       }
       else if($benutzername != $row[0]){
         echo '<p>Fehler bei Anmeldung. Sie haben einen falschen
Benutzernamen eingegeben.</p>';
         die("Fehler bei Anmeldung");
       }
       else if($pass != $row[1]){
         echo '<p>Fehler bei Anmeldung. Sie haben ein falsches
Passwort eingegeben.</p>';
         die("Fehler bei Anmeldung");
       }
       else if(($benutzername != $row[0]) && ($pass != $row[1])){
         echo '<p>Fehler bei Anmeldung.</p>';
         die("Fehler bei Anmeldung");

       }

       else{
        echo '<p>Sie müssen sich mit Benutzernamen und Passwort
anmelden.</p>';
       }
      }

The thing is that i use a loop to go through all rows in the database
and then compare the values
provided in the HTML form the ones standing in the database.

Since the user may provide wrong data i have these four scenarios.

The problem now is that i it dont gets into the first case - that is
username and passwort match.

I only get into cases two and three.

thank you.

Alexander

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---