Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How vulnerable is my code to SQL injection?

Ok I don't want this to be a hacking advice question, so please don't down-vote for that. I work in a web shop and I've found some of our old PHP pages are vulnerable to SQL injection in the username and want to know how bad.

We use a PHP string to embed the user input from the POST on the login form.

$uname = $_POST['username'];
$pass  = md5($_POST['pass']);
$sql = "SELECT * FROM users WHERE username='$uname' AND password='$pass' AND userlevel='user'";
...

then I run the query.

Now, I'm no SQL expert, I just use what I can piece together on phpMyAdmin. But I was able to log in without a username by instead using:

' OR 1 '

I know to escape the user input, I use mysql_real_escape_string.

My question is, how vulnerable is this code, and could someone log into this page and not need the password? I would think maybe they wouldn't need the username, but could only brute force the password. But I'm no SQL guru and am wondering if some tricks could be used against us.

We use MySQL.

And please I don't need any lectures on input validation, I know how bad this is. We should be doing lots of things, like timeouts and lockouts on our page so it can't be brute-forced.

like image 458
tkotitan Avatar asked Nov 30 '22 19:11

tkotitan


2 Answers

"Could someone log into this page and not need the password": Yes, trivially. Try the username yourfavoriteadmin' OR 1; --.

May as well link this, since certainly somebody will...

like image 132
chaos Avatar answered Dec 06 '22 15:12

chaos


It’s very vulnerable. If you know about all the nifty stuff like mysql_real_escape_string why do you waste your time and ask this question? You should be all over that code, fixing it. You know, like, NOW.

like image 38
Bombe Avatar answered Dec 06 '22 15:12

Bombe