Menu
I use CodeIgniter, and having trouble with hacking. Is it possible to make SQL Injection to the login code below:
function process_login()
{
$username = mysql_real_escape_string($this->input->post('username'));
$password = mysql_real_escape_string(MD5($this->input->post('password')));
//Check user table
$query = $this->db->getwhere('users', array('username'=>$username, 'password'=>$password));
if ($query->num_rows() > 0)
{
// success login data
Am I using the mysql_real_escape_string wrong, or what?
433
mysql_real_escape_string ALONE can prevent nothing. Moreover, this function has nothing to do with injections at all. Whenever you need escaping, you need it despite of "security", but just because it is required by SQL syntax. And where you don't need it, escaping won't help you even a bit.
SQL injection attacks harness the power of code for malicious purposes, usually by infiltrating the backend of an application or webpage to view, alter or delete information. This might include sensitive company data, valuable assets or customer details. The resulting data breach can have severe consequences.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00 , \n , \r , \ , ' , " and \x1a . This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Using SQL injection, a hacker will try to enter a specifically crafted SQL commands into a form field instead of the expected information. The intent is to secure a response from the database that will help the hacker understand the database construction, such as table names.
No what have posted is not probably not vulnerable to sql injection. Although getwhere() could be doing a stripslashes(), I'm not sure.
Its likely that if there was SQL Injection that it is in another part of your application. The attacker could use this vulnerability to obtain your extremely weak md5() hash, crack it, and then login. Use any member of the sha2 family, sha-256 is a great choice.
If your site has been defaced then I seriously doubt that it is sql injection. Its difficult to automate the exploitation of sql injection to deface websites, but it is possible. I would make sure that all libraries and installed applications are fully updated. Especially if you have a CMS or forum. You could run an OpenVAS scan against your site to see if it finds any old software.
200
Judging by your code I see you're not using the lastest CI version (2.0.2 as of 06/12).
As stated in the changelog the getwhere() function (which is now called get_where()) has been abandoned as for version 2.0.
As for everty application out there you're strongly suggested to upgrade your current version, as there has been a lot of bugfixes in the meantime and you should always rely on the safest version available.
mysql_real_escape_string usually is considered 'enough' to give a good level of safety in your queries, but as it happend to its predecessor (mysql_escape_string) it isn't 100% safe against all kind of attack, so relying interely on that is not the best practice around. Although safe, there are still attacks that can go past this filter.
Check, among the many, this question on SO for further information about this.
In codeignier: If you were developing your custom application, I'd suggest you to at least use the mysqli extensions or, better yet, the PDO class; prepared statements are undoubtely safest and should be favoured over everything else.
But we are in the framework context, and Codeigniter comes with 3 great ways of safely querying your database, applying the right tool to the right input without you having to worry about that. I'm talking about query bindings and manual escaping with $this->db->escape() family and the Active Record Class
You can find examples of use at the urls I just linked, or read the answers from other peers here, so I won't go into the details of each procedure in this post.
Regarding your password, as already stated by other users, md5() is a now flawed hashing alghoritm. There are rainbow tables out there that can crack your md5 password in a relatively short amount of time, so you're better off with higher security level hashing algorhytms, like sha1() or sha256, sha512, and other
In codeigniter:
Codeigniter comes with a security helper class, which provides you with a handy function, do_hash() (might be dohash() in your older installation), which can be given the hashing alg. as paramter (currently I think it supports only md5 and sha1) and defaults to sha1() anyway.
I'm not entirely clear on why you blame your login for your SQL injections. Are those the only 2 forms in your whole application?
You dind't provide the info to tell if you use $_GET parameters or you follow the native URI segmentation, but I believe you're doing like this so I assume you're safe from this point of view.
You should make sure then that there's no other input form in your website which contains input going into the database, otherwise you can secure your login how much you want, but someone could penetrate through a backdoor and read from there your database table and get log into your website in a "legitimate" way.
Moreover, there can be other source of intrusion, like a compromized cookie for example. As a piece of advice, whenever you choose to use a framework (and you're doing yourself a bigger favour than developing from scratch and all by yourself) you should tend to use MOST of its features, expecially when it comes down to security. It's a huge and very delicate question, so you MUST give this topic your top priority, and a well developed framework, with a huge community and frequent updates is the closest to safety you can get.
Therefore, you're adviced to update your CI installation (guides can be found here in their manual. Choose your version and follow the instruction), always use the top tools you're given for each task, and don't think that barring your door will make you safe from an intrusion from your windows. Always check thoroughly and investigate all possibile causes.
Late Addendum: Don't forget XSS, CSRF, session fixations, and other hot security problems.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
