I was told there is an SQL injection vulnerability in the PHP script that matches 'login' and 'pass' from a backend DB. Edit: Removed code for confidentiality.
Asked
Active
Viewed 42 times
0
-
1Yep, you're vulnerable (or you don't show the code that makes you secure) – John Conde Mar 27 '15 at 19:21
-
4`$login = '; DELETE * FROM users` – AbraCadaver Mar 27 '15 at 19:22
2 Answers
3
If you are not making any treatment and doing such thing as $login = $_POST['login'] then yes, you are vulnerable to SQL injection.
It's not that someone could get in without a password that matters but rather that someone could execute any wanted queries.
For exemple, if this value is submitted: "admin); DROP table; --" you'd have your table dropped.
Have a look to this question.
3
I'm assuming an user input value is put into $login. If $login is not sanitized, and the user could set it, then it could be set to
' or '1'='1
Which would return everything in the table due to SQL syntax. Note that this particular injection doesn't do much because your code just matches the password against the first record returned, but by the nature of the injection any other SQL commands such as DROP or DELETE would still run, and still do things like delete every record from the table, insert an arbitrary record and so on.
To avoid SQL injections use prepared statements or use a serverside-enforced whitelist of allowed input characters (only feasible in some contexts). See: http://php.net/manual/en/pdo.prepared-statements.php
user2108462
- 855
- 7
- 23