 Whats Wrong>?, please see this piece of code and see whats wrong: |
|
|
|
|
  |
  Aug 31 2007, 03:18 AM
Post
#1
|
|
|
Member [Level 1]  Group: Members Posts: 59 Joined: 28-August 07 Member No.: 48,983  |
CODE require('connection2.php'); $select=mysql_query("SELECT * from `users` WHERE password='$_GET[password]'"); $co=mysql_num_rows($select); if ($co = 1) { session_start(); $s=session_id(); $_SESSION['access']="yes"; $username=$_GET['username']; header("location:../main/index2.php?a=$_GET[username]&s=$s"); //echo "<a href='../main/index2.php' > Proceed to Game</a>"; //echo $s; } Now that is a bit of my script for my login script to authenticate and stuff. Recently my game went down because there was some error in this. So i kept on trying and it didnt work. Now i found out, wait first let me tell you that over here users get registered for sessions, and if they arent register or are changing urls, they get redirected to an error page, that it always redirected to the error page meaning sessions weren't being registered. So i changed the error page to my game ingame page and it came there. With no luck, i was heading to bed when i mistakenly clicked a bookmarked link of the login file and saw that it said that i have to check the mysql syntax near 'password='passwordentered" at line one. |
 |
 
|
|
Aug 31 2007, 10:17 AM
Post
#2
|
|
|
Newbie [Level 1] Group: Members Posts: 22 Joined: 1-April 07 From: Spain Member No.: 40,913 |
Have you tried to write the MySQL sentence like this:
QUOTE $select=mysql_query("SELECT * from users WHERE password='$_GET[password]'"); and how the pho file receives the password? through a submission form? because you can try '$_RESQUEST[password]' instead of '$_GET[password]' |
|
|
|
|
Aug 31 2007, 11:49 AM
Post
#3
|
|
|
Member [Level 1] Group: Members Posts: 59 Joined: 28-August 07 Member No.: 48,983 |
QUOTE(acantocephala @ Aug 31 2007, 06:17 AM)  Have you tried to write the MySQL sentence like this: and how the pho file receives the password? through a submission form? because you can try '$_RESQUEST[password]' instead of '$_GET[password]' I tried everything..it doesnt work...it just takes me to my error page which |
|
|
|
|
Sep 5 2007, 04:40 PM
Post
#4
|
|
|
Define:EVIL PROGRAMMER (ē'vəl prō'grăm'ər)- n. An organism that converts caffeine into evil software. Group: [HOSTED] Posts: 975 Joined: 25-September 05 From: The dungeon deep below the foundation of trap17 Member No.: 12,251 |
Well first of all I'm pretty sure you're comparing in this if statement not assigning:
CODE if ($co = 1) so you would need 2 equal signs (==). I'm not sure what more I can do because I do not know any more about the contents of connection2.php, or what error you're getting but that might fix it. Also a note for after you get it fixed: You have a HUGE security hole in your code: CODE $select=mysql_query("SELECT * from `users` WHERE password='$_GET[password]'"); If someone were to enter this password: ' or 1=1 limit 1;-- they could get into any account they wanted to. I would have the password check for single quotes and escape them out otherwise your login is open for some major sql injection! |
|
|
|
|
Sep 5 2007, 05:51 PM
Post
#5
|
|
|
A computer once beat me at chess, but it was no match for me at kick boxing.  Group: [MODERATOR] Posts: 3,882 Joined: 24-July 05 From: In Trouble Again... still? Member No.: 9,787  |
Another security issue is with sending passwords via the GET method. Better to use POST on the Form and the receiving end. the password at least would not be visible if you use the POST method.
Check the page that submits the info to see if the GET or POST method is used on the submit form, too. |
|
|
|
|
Sep 5 2007, 07:42 PM
Post
#6
|
|
|
Define:EVIL PROGRAMMER (ē'vəl prō'grăm'ər)- n. An organism that converts caffeine into evil software. Group: [HOSTED] Posts: 975 Joined: 25-September 05 From: The dungeon deep below the foundation of trap17 Member No.: 12,251 |
Oh my god yes. I can't believe I didn't even see that. Sending the data through get would be a terrible Idea if you were to log in and somebody was watching the url behind you. If your form is set to post the data then thats where your problem is...
|
|
|
|
|
Sep 6 2007, 02:54 PM
Post
#7
|
|
|
Member [Level 1] Group: Members Posts: 59 Joined: 28-August 07 Member No.: 48,983 |
QUOTE(alex7h3pr0gr4m3r @ Sep 5 2007, 03:42 PM) Oh my god yes. I can't believe I didn't even see that. Sending the data through get would be a terrible Idea if you were to log in and somebody was watching the url behind you. If your form is set to post the data then thats where your problem is... even since its a header page, ill go with post. And i know that is a huge security hole, i did that delibrately so that people could just login as i didnt want to keep the game down to long, ill try out == and also username=..... && password=.... Ill be sure to post results here. ~Aldo (P.S : dont delete/lock this thread) |
|
|
|
|
Sep 7 2007, 10:56 AM
Post
#8
|
|
|
Member [Level 1] Group: Members Posts: 59 Joined: 28-August 07 Member No.: 48,983 |
Great it works!
Thanks A lot ! |
|
|
|
|
Sep 7 2007, 04:08 PM
Post
#9
|
|
|
Define:EVIL PROGRAMMER (ē'vəl prō'grăm'ər)- n. An organism that converts caffeine into evil software. Group: [HOSTED] Posts: 975 Joined: 25-September 05 From: The dungeon deep below the foundation of trap17 Member No.: 12,251 |
I hope you escaped out those single quotes out of your passwords!
Perhaps after you post your website I'll try to see if its still vunrable by hax0ring it!  Oh, and of course report to you what exploits i find... (or maybe not!) Haha.. Just kidding... 
|