Jump to content

  • Log In with Google      Sign In   
  • Create Account


Forcing Code To Work !

  • You cannot reply to this topic
31 replies to this topic

#21 ApochPiQ   Moderators   -  Reputation: 14283

Like
3Likes
Like

Posted 09 December 2013 - 10:46 PM

Progress!

Now you need to go learn about SQL injection attacks.

Sponsor:

#22 Shippou   Members   -  Reputation: 1322

Like
0Likes
Like

Posted 09 December 2013 - 11:00 PM

If I disallow spaces, that shouldn't be an issue, correct ?

 

Edit: all special characters are stripped in this version of the code.


Edited by Shippou, 09 December 2013 - 11:03 PM.

 Reactions To Technologies:
1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
2. Anything that's invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
3. Anything invented after you're thirty-five is against the natural order of things.

- Douglas Adams 2002


 


#23 LJ_1102   Members   -  Reputation: 840

Like
0Likes
Like

Posted 10 December 2013 - 08:08 AM

Just use mysqli_real_escape_string or prepared statements,

"trim"ing values is not enough.

 

As already mentioned cookies are not save either, in the following parts of your code you have no checks at all.

// sql injection
$result = mysqli_query($sql,"SELECT ID FROM ".$table." WHERE ID='".$_COOKIE["ID"]."'");

// sql injection
$temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT Game_Name FROM ".$table." WHERE ID='".$_COOKIE["ID"]."'") );


Jan F. Scheurer - CEO @ Xe-Development

Sign Up for Xe-EngineBeta

 


#24 Shippou   Members   -  Reputation: 1322

Like
0Likes
Like

Posted 16 December 2013 - 12:58 PM

This version strips all special characters from all input ...

<html>
<title>Login Page</title>
<head>
	<style type="text/css">
	body {
        text-align:center;
	     }
	</style>
</head>
<?php
include "sql.php";
$me =  $_SERVER['PHP_SELF'];

function check($v){
return isset($_POST[$v]);
}

function strip ($str){
return preg_replace('/[^A-Za-z0-9_]/', " ", trim($str) );
}

function test($col,$val){
global $sql, $table; 
$tst = mysqli_query($sql,"SELECT ".$col." FROM ".$table." WHERE ".$col."='".$val."'");
if (mysqli_fetch_array($tst) ){
 return true;
}
else{
return false;
}}

 function verify ($imp){
	 $imp1 = strip($imp);
	 if ($imp == $imp1){
	 return true;
	 }
	 else{
	 return false;
	 }}
	 
function button ($txt,$set){
global $me;
 echo '<form action="' . $me . '" method="POST">
  <input type="submit" name="'.$txt.'" value="'.$set.'">
  </form>';
}
// End Of Declarationns 	
	if (isset($_COOKIE["ID"])){
	$result = mysqli_query($sql,"SELECT ID FROM ".$table." WHERE ID='".strip($_COOKIE["ID"])."'");
	if (mysqli_fetch_array($result)){
		$temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT Game_Name FROM ".$table." WHERE ID='".strip($_COOKIE["ID"])."'") );
		echo "Welcome " . $temp["Game_Name"] . " !<br>";
	}
	else{
	unset($_COOKIE["ID"]);
	}}
	
	if (!check("Sign_Up")  and !check("Sign_In") and !check("Su_User_Name") and !check("Si_User_Name")){
	echo "<b>Welcome! Please sign in or sign up !<br></b></ceter>";
	button("Sign_In","Sign In");
	button("Sign_Up","Sign Up");
	}
	
	if (check("Sign_In") ) {
echo '<b>Please sign in here.</b></cemter><br><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Si_User_Name">&nbsp;
  Password: <input type="text" name="Si_Password">&nbsp;
  <button type="submit">Submit !</button>
  </form><br>';
	}
	
	if (check("Sign_Up") ) {
	echo '<b>Please do not use special characters.<br>Letters, numbers and _ allowed.<br>Lenght must be longer than 4 characters.<br></b><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Su_User_Name">&nbsp;
  Game Name: <input type="text" name="Su_Game_Name"> &nbsp;
  Password: <input type="text" name="Su_Password">&nbsp;
  <button type="submit">Submit !</button>
  </form><br>';
	}
	
	if (check("Su_User_Name") and check("Su_Game_Name") and check("Su_Password") ){
     if (!verify($_POST["Su_User_Name"]) or !verify($_POST["Su_Game_Name"]) or !verify($_POST["Su_Password"]) or strlen($_POST["Su_User_Name"]) < 5 or strlen($_POST["Su_Game_Name"]) < 5 or strlen($_POST["Su_Password"]) < 5 ) {
	  echo "<h3><b>Letters, numbers and _ only. Lenght must be greater than 4 characters.</b></h1><br>";
	  button("x","<-- Back");
	 }
	 else{
      if (test("Login_Name",$_POST["Su_User_Name"]) ){
	  echo "<b>User name taken.<br></b>";
	  button("x","<-- Back");
	  }
	  elseif(test("Game_Name",$_POST["Su_Game_Name"]) ){
	   echo "<b>Game name taken.<br></b>";
	   button("x","<-- Back");
	  }
	  else{
	  $x = "1234567890abcdefghijklmnopqrstuvwxyABCDEFGHIJKLMNOPQRSTUVWXYZ";
      $x2 = '';
		for ($i = 0; $i < 21; $i++) {
			$x2 .= $x[rand(0, strlen($x) - 1)];
	  }
	  mysqli_query($sql,"INSERT INTO ".$table." (Game_Name,Login_Name,Blarg,ID)VALUES('".$_POST["Su_Game_Name"]."','".$_POST["Su_User_Name"]."','" .$_POST["Su_Password"]."','".$x2."')");
	  echo "<b>Account created !<br></b>";
	  $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE ID='".$x2."'") );
      setcookie("ID",$temp["ID"], time()+3600);
	  button("x","<-- Back");
	  
	  }
	 }
	}
	
	if (check("Si_User_Name") and check("Si_Password") ) {
	$tmp1 = strip($_POST["Si_User_Name"]);
	$tmp2 = strip($_POST["Si_Password"]);
	  if (test("Login_Name",$tmp1) and test("Blarg",$tmp2) ){
	  echo "<b>Logged in !<br></b>";
	  $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE Login_Name='".$tmp1."'") );
      setcookie("ID",$temp["ID"], time()+3600);
	  button("x","<-- Back");
	  }
	  else{
	   echo "<b>Bad name or password. Please try again.<br></b>";
	   button("x","<-- Back");
	  }
	}

 ?>
</html>

 Reactions To Technologies:
1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
2. Anything that's invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
3. Anything invented after you're thirty-five is against the natural order of things.

- Douglas Adams 2002


 


#25 Solid_Spy   Members   -  Reputation: 389

Like
0Likes
Like

Posted 17 December 2013 - 05:32 PM

Ah yes, I had to use many different libraries for making a game engine, and had to work with all sorts of strange libraries that don't always go together. For science!



#26 Ectara   Crossbones+   -  Reputation: 2765

Like
1Likes
Like

Posted 18 December 2013 - 08:03 PM


return preg_replace('/[^A-Za-z0-9_]/', " ", trim($str) );

This seems a bit odd. If you're stripping disallowed characters, shouldn't you just be removing them, instead of inserting spaces? You're inserting characters that you're explicitly trying to remove (since it matches /[^A-Za-z0-9_]/).

 

Also, the trim() becomes useless. This function call turns ".string." into " string ", so it is very easy to reinsert whitespace after you thought it was removed.
 

 

 


$tmp1 = strip($_POST["Si_User_Name"]);

$tmp2 = strip($_POST["Si_Password"]);

if (test("Login_Name",$tmp1) and test("Blarg",$tmp2) ){


Moreover, it is worrisome to use login credentials that were modified after they were entered as some security scheme; if someone figures out that you're doing this, it is always possible that they'll find a hole and use it as an attack vector by instead of entering data that you don't allow, they enter specially crafted data that your program modifies into what they want, after you've already assumed it is safe.

 

I would personally suggest rejecting the input entirely if it is invalid, rather than trying to shoehorn it into being valid data.


Edited by Ectara, 18 December 2013 - 08:14 PM.


#27 LJ_1102   Members   -  Reputation: 840

Like
2Likes
Like

Posted 18 December 2013 - 08:25 PM

// sql injection
mysqli_query($sql,"INSERT INTO ".$table." (Game_Name,Login_Name,Blarg,ID)VALUES('".$_POST["Su_Game_Name"]."','".$_POST["Su_User_Name"]."','" .$_POST["Su_Password"]."','".$x2."')");

Why are you still not using mysqli_real_escape_string ? What happens if for some reason ever you may want to allow whitespaces or even free text -> cant use your "awesome" strip function anymore. Maybe its better if you just use an already existing and prooven ORM to handle database calls for you. This code is all coding horror, even when using mysqli_real_escape_string, a professional project would have the database logic abstracted away, use a templating engine for html output and a router to route the requests to the appropriate controllers.

Yes you can build a project the way you're but you'll soon encounter hard to find bugs and a total require/include global variables and functions mess.
Have a look at something like Yii, CakePHP or Zend. You'll save so much time and frustration by using a proper framework seriously.


Jan F. Scheurer - CEO @ Xe-Development

Sign Up for Xe-EngineBeta

 


#28 Shippou   Members   -  Reputation: 1322

Like
0Likes
Like

Posted 19 December 2013 - 01:08 PM

Unfortunately my host I use has no 3rd party libraries. The server is pure PHP / HTML5 / SQL sad.png


 Reactions To Technologies:
1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
2. Anything that's invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
3. Anything invented after you're thirty-five is against the natural order of things.

- Douglas Adams 2002


 


#29 froop   Members   -  Reputation: 636

Like
0Likes
Like

Posted 19 December 2013 - 01:15 PM

Unfortunately my host I use has no 3rd party libraries. The server is pure PHP / HTML5 / SQL sad.png

 

The libraries he mentioned are written in PHP. So you can use them.



#30 flodihn   Members   -  Reputation: 214

Like
0Likes
Like

Posted 22 December 2013 - 10:09 PM

Except the issue of being vulnerable to SQL injection attacks, I would recommend separating your HTML and PHP code. That will help a lot with improving readability.


Edited by flodihn, 22 December 2013 - 10:10 PM.

www.next-gen.cc NextGen MMO Architecturewww.abydosonline.com Abydos Online

#31 tanzanite7   Members   -  Reputation: 1142

Like
1Likes
Like

Posted 26 December 2013 - 07:41 PM

The browser doesn't let you type those extra characters, but you can either post from a separate file/page or use Javascript to alter the form settings.

In my case, all i have to do is pick "Forms" -> "Remove Maximum Lengths" from the always visible web developer toolbar.

Reminds me a finished project i was handed down for greenlighting into active use some years ago when its original dev left. Instead of simply giving a go/no-go, i opted to construct a string ready for copy paste and just showed them:
* two mouse clicks to remove the form field limitations
* copy-paste the crafted username into login form
* press enter
=> logged into the application as superuser. As an additional bonus - the login crashed the logging subsystem, without invalidating the login itself -> leaving no traces.

Not blaming the original dev too much tho - he was not qualified to do the job and everyone involved knew it from the outset, they just though "how hard can it be?".

#32 samoth   Crossbones+   -  Reputation: 4510

Like
0Likes
Like

Posted 27 December 2013 - 04:33 AM

Unfortunately my host I use has no 3rd party libraries. The server is pure PHP / HTML5 / SQL sad.png

Pure PHP can call stored procedures on a SQL server, though. A stored procedure is much harder (next to impossible) to exploit because no matter what control characters and invalid input you send, you're not getting to tell the SQL server what queries to execute. What the server will be doing is already built into the stored procedure, you're only providing the data. You might be able to generate an error, and you might be able to post some rubbish data. But you won't be able to turn a query that verifies a password into a query that drops a table or overwrites grants.

 

And, pure PHP without stored procedures can prevent 99.9% of SQL attacks with one simple call to mysqli_real_escape_string if you don't want to use stored procedures.







PARTNERS