PHP Security Pt 5 SQL Injection
A few months ago a friend asked me to take a look at their website because they had been receiving an immense amount of spam. Worse yet they were also receiving threats from others to stop sending spam to them. I immediately knew they were being targeted by code injection, but as I dug around I found more danger than I was expecting.
It seems that their grandchild (No doubt a future Mark Zuckerberg) had created the shopping cart for them. The shopping cart application had little to know security. In seconds I was able to dump all of their customers credit card information on to the screen before their frightened eyes.
In this video tutorial I’ll show you all of the mistakes that were made along with some other tips that will help you defend your site from SQL Injection.
NOTE: If you think websites are almost never susceptible to SQL Injection, I personally have seen flaws in 1/4th of the sites I have looked at! Industry analysts believe the percentage is closer to 1/3rd!
Like always the code used in the tutorial follows the video. You can use it however you like, but I’m not guaranteeing it is 100% secure, just that it is more secure than most code you will find. Leave questions or comments below.
Code From The Video
Goodlogin.php
<?php require_once(“./includes/configbad.php”);?> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” lang=”en” xml:lang=”en”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=ISO-8859-1″ />
<title>Good Login</title>
<div id=”main”>
<?php
if (isset($_POST[‘submitted’])) {
if (preg_match (‘%^[A-Za-z0-9]\S{8,20}$%’, stripslashes(trim($_POST[‘userid’])))) {
$u = escape_data($_POST[‘userid’]);
} else {
$u = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid User ID!</font></p>’;
}
if (preg_match (‘%^[A-Za-z0-9]\S{8,20}$%’, stripslashes(trim($_POST[‘pass’])))) {
$p = escape_data($_POST[‘pass’]);
} else {
$p = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid Password!</font></p>’;
}
$captchchk = 1;
require_once(‘recaptchalib.php’);
$privatekey = “privatekey”;
$resp = recaptcha_check_answer ($privatekey,
$_SERVER[“REMOTE_ADDR”],
$_POST[“recaptcha_challenge_field”],
$_POST[“recaptcha_response_field”]);
if (!$resp->is_valid) {
echo ‘<p><font color=”red” size=”+1″>The CAPTCHA Code wasn\’t entered correctly!</font></p>’;
$captchchk = 0;
}
if ($u && $p && $captchchk) {
$query = “SELECT user_id, first_name, last_name, email, userid, pass FROM users WHERE userid=’$u’ AND pass=SHA(‘$p’)”;
$result = mysql_query ($query) or trigger_error(“Either the Userid or Password are incorrect”);
if (mysql_affected_rows() == 1) {
// Register the values & redirect. I didn’t write this part
$row = mysql_fetch_array ($result, MYSQL_NUM);
echo “First name: ” . $row[1] . “<br />”;
echo “Last name: ” . $row[2] . “<br />”;
echo “Email: ” . $row[3] . “<br />”;
echo “Login Id: ” . $row[4] . “<br />”;
echo “Password: ” . $row[5] . “<br />”;
while ($row = mysql_fetch_assoc($result))
{
echo “First name: ” . $row[‘first_name’] . “<br />”;
echo “Last name: ” . $row[‘last_name’] . “<br />”;
echo “Email: ” . $row[’email’] . “<br />”;
echo “Login Id: ” . $row[‘userid’] . “<br />”;
echo “Password: ” . $row[‘pass’] . “<br />”;
} mysql_close();
} else { // No match was made.
echo ‘<br><br><p><font color=”red” size=”+1″>Either the Userid or Password are incorrect</font></p>’;
mysql_close();
exit(); }
} echo ‘<br><br><p><font color=”red” size=”+1″>Either the Userid or Password are incorrect</font></p>’;
mysql_close();
exit();
}// End of SUBMIT conditional.
?>
<h1>Login</h1>
<p>Your browser must allow cookies in order to log in.</p>
<form action=”goodlogin.php” method=”post”>
<fieldset>
<p><b>Userid:</b> <input type=”text” name=”userid” size=”20″ maxlength=”20″ /></p>
<p><b>Password:</b> <input type=”password” name=”pass” size=”20″ maxlength=”20″ /></p>
<?php require_once(‘recaptchalib.php’);
$publickey = “publickey”; // you got this from the signup page
echo recaptcha_get_html($publickey);
?>
<div align=”center”><input type=”submit” name=”submit” value=”Login” /></div>
<input type=”hidden” name=”submitted” value=”TRUE” />
</fieldset>
</form>
</div>
</body>
</html>
Configbad.php
This code isn’t bad. It will actually clean most security issues
Please what is the code of the function “escape_data()”.
I updated the page and included the escape_data function. If you have any questions just ask.
In your note, you say the ‘percentage’ is closer to 1/3…. you mean the ‘fraction’ is closer to 1/3. Other than that, love all your tutorials!
In second paragraph, you say ‘little to know security.” It should be “little to NO security.”
Sorry that typo slipped in. I crank out videos / code very fast and sometimes I have typos here and there. I tend to focus on the code working more than anything else.
Hello,
I am a total newb, all my knowledge of php comes from your tutorials.
I used this files for my website but dreamwaver reports errors on the functions require_once and trigger_error.
As if thy were never difined.
Tnx for info
Thank you 🙂 Pass along the full error and the lines they pertain to and I’ll see what I can do to help