5

This was marked as a duplicate, but I don't think that is a fair judgement. Again the question is being passed off with an easy answer... but it isn't the correct answer. If the "duplicate" answer is used from the actual post form, it does not work. It is rejected just like all the other attempts. I have actually used that answer multiple times, it appears on nearly every SQL injection cheat sheet. Please un-mark this as a duplicate.

This question is purely for understanding and not for use on accessing another site. I have read multiple times that MySQL escaping is not sufficient enough to protect yourself from SQL injections. So because of this I have setup multiple test pages to try SQL injection. I have succeeded in some, but never on one that uses the mysql_real_escape_string() function.

I have researched and tried many examples from cheat sheets but cannot crack this, so I feel like it is plenty secure, or secure enough. Can someone give me an example? Maybe a reason as to why this login is insecure and an example input that would bypass the login and/or alter the table?

I plan to also use MySQLi. In this example I am using MySQL to also ask where this could cause an SQL injection problem compared to MySQLi (another statement made but I have never seen proven).

This is someone's chance to prove the insecurity rather than simply stating that it is insecure.

if (isset($_POST['aun'])) {
  $username = mysql_real_escape_string($_POST['aun']);
  $checkadminlogin = mysql_query("SELECT * FROM admin WHERE un='$username'");
  $uncreds = mysql_fetch_assoc($checkadminlogin);
  $pass = mysql_real_escape_string($_POST['apwd']);
  //Line to get key for encrypting input password, used below as $keyinfo['op_value'];
  $salt = $keyinfo['op_value'];
  $fpass = sha1($pass . $salt);
  if ($fpass == $uncreds['pwd']) {
    echo 'Congrats, you logged in. Or hacked your way in. Whatever';
  }
}

Also on a side note, couldn't you just replace all special characters to prevent any injections?

Nisse Engström
  • 4,738
  • 23
  • 27
  • 42
Spencer May
  • 4,266
  • 9
  • 28
  • 48
  • 3
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 23 '15 at 19:05
  • @JayBlanchard I have looked into this and learned it. It definitely is the better approach, but not really getting at my overall goal for my question. I'm looking more at finding understanding for this topic that is completely vague everywhere that I look for it. Also thanks for the article link. I didn't know that it was being removed in PHP 7 :( – Spencer May Jun 23 '15 at 19:09
  • I'm pretty sure @JayBlanchard didn't actually read your question, so I wouldn't worry about it. It's still useful information for people in the future who may not know though. – Chris Jun 23 '15 at 19:11
  • 2
    See: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – gen_Eric Jun 23 '15 at 19:12
  • @RocketHazmat I actually found that on multiple cheat sheets. Under the above example, the answer to that question does not work. – Spencer May Jun 23 '15 at 19:15
  • PLEASE do not mark this as duplicate! That does not answer my question at all. It also is not the same context and does not work under my example. I want people to research because again people are taking an idea and saying it is the answer....I can create an example for people to test if needed. – Spencer May Jun 23 '15 at 19:17
  • @SpencerMay You're using quotes in your example. This is what is key to mysql_real_escape_string functioning properly. Also you don't want to replace special characters you want to escape them so they aren't treated like special characters. – Jared Jun 23 '15 at 19:18
  • I actually read the question @Chris. – Jay Blanchard Jun 23 '15 at 19:18
  • @JayBlanchard My mistake then! =) – Chris Jun 23 '15 at 19:19
  • I think I read something about chinese or some other unicode characters possibly breaking the SQL string, but I can't find it right now. – gen_Eric Jun 23 '15 at 19:25
  • @Jrod so you're saying that the above segment cannot actually be used improperly? From the user end that is. – Spencer May Jun 23 '15 at 19:25
  • @RocketHazmat if you could find a link for that I would definitely like to read it. – Spencer May Jun 23 '15 at 19:26
  • I've found http://blog.ijun.org/2010/12/mysql-injection-cheat-sheet.html and http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string-fully-protect-against-sql-injection – gen_Eric Jun 23 '15 at 19:30
  • 1
    @SpencerMay Correct. If you weren't using quotes and some entered `1 OR 1=1` then you would end up running `SELECT * FROM admin WHERE un=1 OR 1=1` which is bad. But since you are using quotes you end up with `SELECT * FROM admin WHERE un='1 or 1=1' which is safe. Since you are using quotes someone would need to uses quotes in their input to do an injection but that's where escaping makes the string safe. – Jared Jun 23 '15 at 19:34
  • @Jrod thank you for answering my question. I have never found that answer anywhere else. Everyone always passed it off as though no matter what you did, your sql could always be injected. So the answer is, if you use it correctly, it works correctly. – Spencer May Jun 23 '15 at 19:37
  • @SpencerMay: Concerning odd character encodings: Check out the second answer [**"For Very OBSCURE EDGE CASES!!!"**](http://stackoverflow.com/a/12118602/3478852) in the "duplicate". – Nisse Engström Jun 23 '15 at 20:46

0 Answers0