0

So I have a test DB that is live, I was away for the holidays and come back and my MYSQL DB is wiped of data (only about 8 lines). It was all test data so I am not worried about it, my thoughts is that I was SQL injected through my PHP signup form but I don't see any vulnerabilities here.

I am using variables for my SQL queries which is what I thought prevented this type of attack.

I am at a loss as to where the vulnerabilities are. I only have 5 files, here is the one that I think is the problem, it is receiving data from a previous form.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Challenge Me</title>
</head>
<body bgcolor="black" style="color:white;">

<?php

if($_GET["dispname"] && $_GET["regemail"] && $_GET["regpass"] && $_GET["regpass2"] )
{
if($_GET["regpass"]==$_GET["regpass2"])
{
$regemail = $_GET["regemail"] ;
$servername="localhost";
$username="***";
$password="***";
$database="***";
$conn= mysql_connect($servername,$username,$password)or die(mysql_error());
mysql_select_db("$database",$conn);


$query = 'SELECT email FROM users WHERE email = "' . $regemail . '"';
$result = mysql_query($query) or die(mysql_error());

if (mysql_num_rows($result) ) {
        die("Duplicate email found!  Please press the back button to use another email or " . "<a href='forgotpassword.php'>CLICK HERE</a> to have your password emailed");
    }
    else {}


$sql="insert into users (fullname, displayname,email,password)values('$_GET[fullname]','$_GET[dispname]','$_GET[regemail]','$_GET[regpass]')";
$result=mysql_query($sql,$conn) or $string = mysql_error();







$to = $_GET['regemail'];
$subject = "Thank you for Registering!";
$message = "Hello " . $_GET['dispname'];
$from = "noreply@challengeme.com";
$headers = "From:" . $from;
mail($to,$subject,$message,$headers) or die('You have successfully registered however mail servers are currently down, you may or may not receive an email');



print "<h1>You have registered successfully</h1>";

print "You will receive an email shortly with your confirmation.  You may now log in</a>";
}
else print "passwords do not match";
}
else print"Please fill out all required fields";
?>

 </body>
 </html>
user3053446
  • 124
  • 2
  • 13
  • You're using the value from $_GET['regmail'] directly in that first query.... – andrewsi Dec 24 '13 at 15:55
  • 1
    RTFM: http://bobby-tables.com and http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Marc B Dec 24 '13 at 15:59
  • You don’t sanitize or doing any basic checks on ANY of your incoming data & just let it flow straight to your MySQL query & you wonder what went wrong?!? – Giacomo1968 Dec 24 '13 at 16:04
  • 1
    My email is `me@example.com'); DROP TABLE Users;--` why won't you let me sign up? – Digital Chris Dec 24 '13 at 16:05
  • @Digital Chris... to bad mysql_query() doesnt support multiple query statements separated with semicolon but it was an good laugh.. – Raymond Nijland Dec 24 '13 at 17:28

1 Answers1

3

I am using variables for my SQL queries which is what I thought prevented this type of attack.

Well, that is where you are wrong. The word you're looking for is parameters. ($_GET is already a variable, assigning it to another variable does nothing at all for security)

If you want to stick with mysql, you need to use mysql_real_escape_string on your variables.

Your best bet is to rewrite, using PDO or MySQLi, so you can use paramterized queries, which automates the escaping and injection-prevention for you.

Jessica
  • 7,075
  • 28
  • 39