5

This was marked as a duplicate, but I don't think that is a fair judgement. Again the question is being passed off with an easy answer... but it isn't the correct answer. If the "duplicate" answer is used from the actual post form, it does not work. It is rejected just like all the other attempts. I have actually used that answer multiple times, it appears on nearly every SQL injection cheat sheet. Please un-mark this as a duplicate.

This question is purely for understanding and not for use on accessing another site. I have read multiple times that MySQL escaping is not sufficient enough to protect yourself from SQL injections. So because of this I have setup multiple test pages to try SQL injection. I have succeeded in some, but never on one that uses the mysql_real_escape_string() function.

I have researched and tried many examples from cheat sheets but cannot crack this, so I feel like it is plenty secure, or secure enough. Can someone give me an example? Maybe a reason as to why this login is insecure and an example input that would bypass the login and/or alter the table?

I plan to also use MySQLi. In this example I am using MySQL to also ask where this could cause an SQL injection problem compared to MySQLi (another statement made but I have never seen proven).

This is someone's chance to prove the insecurity rather than simply stating that it is insecure.

if (isset($_POST['aun'])) {
  $username = mysql_real_escape_string($_POST['aun']);
  $checkadminlogin = mysql_query("SELECT * FROM admin WHERE un='$username'");
  $uncreds = mysql_fetch_assoc($checkadminlogin);
  $pass = mysql_real_escape_string($_POST['apwd']);
  //Line to get key for encrypting input password, used below as $keyinfo['op_value'];
  $salt = $keyinfo['op_value'];
  $fpass = sha1($pass . $salt);
  if ($fpass == $uncreds['pwd']) {
    echo 'Congrats, you logged in. Or hacked your way in. Whatever';
  }
}

Also on a side note, couldn't you just replace all special characters to prevent any injections?

Improve this question
16
  • 3
    If you can, you should stop using mysql_* functions. They are no longer maintained and are officially deprecated. Learn about prepared statements instead, and consider using PDO, it's really not hard. Commented Jun 23, 2015 at 19:05
  • @JayBlanchard I have looked into this and learned it. It definitely is the better approach, but not really getting at my overall goal for my question. I'm looking more at finding understanding for this topic that is completely vague everywhere that I look for it. Also thanks for the article link. I didn't know that it was being removed in PHP 7 :( Commented Jun 23, 2015 at 19:09
  • I'm pretty sure @JayBlanchard didn't actually read your question, so I wouldn't worry about it. It's still useful information for people in the future who may not know though. Commented Jun 23, 2015 at 19:11
  • 2
    See: stackoverflow.com/questions/5741187/… Commented Jun 23, 2015 at 19:12
  • 1
    @SpencerMay Correct. If you weren't using quotes and some entered 1 OR 1=1 then you would end up running SELECT * FROM admin WHERE un=1 OR 1=1 which is bad. But since you are using quotes you end up with `SELECT * FROM admin WHERE un='1 or 1=1' which is safe. Since you are using quotes someone would need to uses quotes in their input to do an injection but that's where escaping makes the string safe. Commented Jun 23, 2015 at 19:34
Related questions
795
SQL injection that gets around mysql_real_escape_string()
2769
How can I prevent SQL injection in PHP?
5135
Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
Load 6 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.