Michael A. Peters wrote:
> Daniel Brown wrote:
>> First, a reminder to several (including some in this thread) that
>> top-posting is against the law here.
>>
>> On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@xxxxxxxxx>
>> wrote:
>>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>>> .'\'))';
>>
>> Second, another, more important reminder:
>>
>> <?php
>> $username = '" OR 1 OR "';
>> ?>
>>
>> Since the first rows in a database are usually the default
>> administrator logins, the first to match what is basically a 'match if
>> this is a row' statement will be logged in. The moral of the story:
>> don't forget to clean your input (which I'm sure ya'all were doing....
>> but with top-posters, you never know ;-P).
>>
>
> prepared statements really do a pretty good job at neutering sql
> injection. But one shouldn't be lazy with input validation anyway.
>
I have a couple of questions/comments re all this:
1. Doing the login and processing through https should add a bit more
security, it seems to me.
2. Cleaning is another bloody headache, for me anyway. I have found that
almost every time I try to do some cleaning with trim and
mysql_real_escape_string and stripslashes wipes out my usernames and
passwords. I havent' been able to use them when doing the crypt and
encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
lost on this.
Specifically, this wipes out my login and password... (I know, this is
old code, but it is supposed to work, no? )
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
When I echoes the cleaned $login and $password, they looked like they
had just gone through an acid bath before being hit by katerina
(hurricane)... ;-) rather whitewashed and empty. There was nothing left
to work with.
--
Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
-------------------------------------------------------------
Phil Jourdan --- pj@xxxxxxxxxxxxx
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
