0

I have a MSSQL table named users with the username rob_dewar01 and the password 0b1a1953c219343f3313f0feae9abbe8. The password was put into the table as MD5 using PHP code and translates to KingDozer without MD5. There is a page called login.php that has a form with two inputs where the user may input the username and password. The login.php will send to the check.php page when the user hits submit. The check.php should then check if the username and password is correct, then send the user to the management page. If the username and password is incorrect, the check.php page will send the user back to the login.php page. My problem is when I try to correctly input the username rob_dewar01 and the password KingDozer into the login.php page and hit submit, it sends me right back to the login.php page. I am not sure if this is happening because it is being used with MSSQL or PHP.

Here is the login.php page code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>Login to === Back-end</title>
  </head>

  <body>
    <form method="POST" action="check.php">
      Username:<br />
      <input type="text" name="username" />
      <br /><br />
      Password:<br />
      <input type="password" name="password" />
      <br /><br />
      <input type="submit" id="subbut" value="Submit" />
    </form>
  </body>
</html>

Here is all my PHP code for check.php:

<?php
  session_start();

  if($_SERVER['REQUEST_METHOD'] == "POST") {
$conn=mssql_connect('gsom','Gser','Ros1!');
mssql_select_db('GBsr',$conn);
if(! $conn )
{
  die('Could not connect: ' . mssql_get_last_message());
}

    $username = ($_POST['username']);
    $password = ($_POST['password']);

    $result = mssql_query("SELECT * FROM users WHERE username='$username' AND
      password=md5('$password')");
  if(mssql_num_rows($result) > 0) {
      $_SESSION['is_logged_in'] = 1;
    }
  }

  if(!isset($_SESSION['is_logged_in'])) {
    header("location:login.php");
  } else {
    header("location:careers/managecareers.php");
  }
?>

Here is the PHP page's code I used to insert a username and password into the MSSQL table users:

<?php
$conn=mssql_connect('gbscom','GBser','Robs!');
mssql_select_db('Gser',$conn);
if(! $conn )
{
  die('Could not connect: ' . mssql_get_last_message());
}

mssql_query($conn,"INSERT INTO Users (username, password)
VALUES ('rob_dewar01', md5('KingDozer'))");


if (!mssql_query) {
    // The query has failed, print a nice error message
    // using mssql_get_last_message()
    die('MSSQL error: ' . mssql_get_last_message());
}

mssql_close($conn);
?>

Any help is appreciated. Thank you for any help.

Alexander
  • 3,129
  • 2
  • 19
  • 33
Kelsey
  • 913
  • 3
  • 19
  • 41
  • Not a good idea to show your user and password to the world – hanleyhansen Feb 14 '14 at 21:23
  • I plan to make a new username and password once I get this working. – Kelsey Feb 14 '14 at 21:25
  • Isn't this the same problem [you had before](http://stackoverflow.com/questions/21788923/php-insert-table-data-code-not-inserting-data-into-mssql-table) where `MD5()` is not natively available to MSSQL? – Michael Berkowski Feb 14 '14 at 21:29
  • You need to do some error checking on your query. `if (!$result) { echo mssql_get_last_message(); exit(); }` to abort before your redirection and see what has gone wrong. – Michael Berkowski Feb 14 '14 at 21:30
  • Not sure if anyone has advised in your previous questions yet, but your code is now vulnerable to SQL injection, since `$username` is unfiltered input. [PHP's MSSQL doesn't have good support](http://stackoverflow.com/questions/574805/how-to-escape-strings-in-sql-server-using-php) for escaping, but anyway [read this question thoroughly](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Michael Berkowski Feb 14 '14 at 21:34
  • I am unsure that $username is vulnerable to SQL injection because it is not an "insert into table" kind of form. I believe it is rather just a query of the table's data. @MichaelBerkowski – Kelsey Feb 18 '14 at 17:04
  • It _is_ vulnerable. If for example `$username == "' OR 1=1 --"` it will return all users regardless of password and your check `mssql_num_rows($result) > 0` will succeed. SQL injection isn't only an issue for INSERT/UPDATE; it applies everywhere. – Michael Berkowski Feb 18 '14 at 17:12

1 Answers1

0

I concur with @MichaelBerkowski comments. You should hash the password with PHP.

$password = md5($_POST['password']);

See here for more details. Or better yet use a different hashing algorithm that hasn't been compromised and consider adding a salt to your hashed passwords and sanitizing your inputs.

hanleyhansen
  • 6,304
  • 8
  • 37
  • 73