Always do the SQL authorization as follow:
<?
mysql_query("SELECT username FROM auth_table WHERE passwd='$password' AND username='$username'");
?>
AND NOT as
<?
mysql_query("SELECT username FROM auth_table WHERE username='$username' AND passwd='$password'");
?>
as $username can be specified in the text box as
$username = "abc"#";
If specified in the textbox as this then the query will become
<?
mysql_query("SELECT username FROM auth_table WHERE username='abc'#' AND passwd='$password'");
?>
in this case # will comment the query and will become
<?
mysql_query("SELECT username FROM auth_table WHERE username = 'abc'");
?>
and this will work and the user can hack the site.
When we write the query in php as
<?
mysql_query("SELECT username FROM auth_table WHERE passwd='$password' AND username='$username'");
?>
then the query will become
<?
mysql_query("SELECT username FROM auth_table WHERE passwd='somepass'#' AND username='$username'");
?>
you have to specify the whole password and even if # is mentioned after the password then username
is not required. This will be ok as we give more importance to password and username of others can
be known by any one so username is not so important.
Fred Schenk wrote :910
Don`t allow a single quote to go into your queries. For MSSQL and ASP I always use
newstring=REPLACE(string, "`", "``")
alowing a single quote will make you vulnerable to SQL Injection (like "fred`; DROP DATABASE" to name the least)
Peter Cole wrote :911
why not limit the text input within the html tag by putting a size attribute in the code ... then use the all purpose htmlspecialchars on the posted variable ....
keep it simple !!
Ray Cauchi wrote :912
Validate all form data - especially for login screens....
Neither username nor password should ever (to my opinion) contain anything other than alphanumeric characters in the first place....
