What's new

Explain the security issues in my PHP login script please!

T

TiNd3r

VIP
VIP
Retired
Messages
1,890
Reaction score
537
Code:
<?php
   $rowsfound=false;
    if (isset($_GET['frmStudentId']))
    {
           // functions to make performQuery() work correctly
           require_once("dbfunctions.inc.php");
           $query = "SELECT dbStudentId, dbStudentName " .
           " FROM student " .
           " WHERE dbStudentId = '".$_GET['frmStudentId']."'" .
           " AND dbPassword = '".$_GET['frmPassword']."'";
           $result = performQuery($query);
           if(count($result) > 0)
           {
           $rowsfound=true; // allow login
           }
           }
// code continues by generating appropriate response ...

Critically analyse and explain the security issues of deploying this code. To support your analysis, construct new code fragments to secure this login code and explain how they work.

Its part of my homework, being a noob I don't really know, if anyone could help it would be great!

Thanks!
 
G

godzcheater

Enthusiast
Messages
127
Reaction score
18
Well first off your not hashing the password,
then I assume performQuery is useing mysql_query, use PDO instead.
 
K

KyleBoyer

Enthusiast
Messages
253
Reaction score
42
MySQL injection... Look it up, you need to sanitize your inputs, try this for every input:
PHP:
function sanitize($input) {
    if (is_array($input)) {
        foreach($input as $var=>$val) {
            $output[$var] = sanitize($val);
        }
    } else {
        if (get_magic_quotes_gpc()) {
            $input = stripslashes($input);
        }
        $output = mysql_real_escape_string($input);
    }
    return $output;
}
Just call sanitize() on every variable you recieve to make sure someone can't do something such as this for password:
Code:
';DROP TABLE student

That above could make it get the values, but then drop the table if you do not sanitize your inputs, so try instead of what you have do something like this:
PHP:
<?php
 
function sanitize($input) {
    if (is_array($input)) {
        foreach($input as $var=>$val) {
            $output[$var] = sanitize($val);
        }
    } else {
        if (get_magic_quotes_gpc()) {
            $input = stripslashes($input);
        }
        $output = mysql_real_escape_string($input);
    }
    return $output;
}
 
$rowsfound=false;
if (isset($_GET['frmStudentId'])) {
// functions to make performQuery() work correctly
require_once("dbfunctions.inc.php");
$query = "SELECT dbStudentId, dbStudentName " . " FROM student " . " WHERE dbStudentId = '".sanitize($_GET['frmStudentId'])."'" . " AND dbPassword = '".sanitize($_GET['frmPassword'])."';";
$result = performQuery($query);
if(count($result) > 0) {
$rowsfound=true; // allow login
}
}
// code continues by generating appropriate response ...
 
Top Bottom