-1

i make PHP site With USER / Pass Login But USer can Skip This Page BY Use
'=' 'or'
‘ or 1=1 Like this Code Here In File Login_Check.php

`

include("includeszzz/host_conf.php");
include("includeszzz/mysql.lib.php");
$obj=new connect;
$obj1=new connect;
$username=$_GET["username"];
$password=$_GET["password"];
//echo $username;
//echo $password;
$sql="select username from  admin where username='$username'";
$obj->query($sql);
$U_num=$obj->num_rows();
//echo $U_num;
if($U_num!=0) {
$sql1="select password from admin where username='$username' and password='$password'";
$obj1->query($sql1);
$P_num=$obj1->num_rows();
    if($P_num!=0) {
        session_start();
        $_SESSION["zizo"]="$username";
    //header("location: welcome.php");
    echo "1";
} else {
    echo "Invalid Password Please Try Again";
}
}  else {
echo "Invalid Username Please Try Again";
}

`

Gumbo
  • 643,351
  • 109
  • 780
  • 844
محمد عبدالغفار الفقى
  • 11
  • 5
  • 1
    What you are experiencing is called [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). Read the link I just posted and the one in @NathanTuggy's comment. – elixenide Nov 14 '15 at 00:37

1 Answers1

2

You want to avoid using user data in queries without any type of sanitation. http://php.net/manual/en/security.database.sql-injection.php

"Example #5 A more secure way to compose a query..."

<?php

settype($offset, 'integer');
$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";

// please note %d in the format string, using %s would be meaningless
$query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;",
                 $offset);

?>
  • If the database layer doesn't support binding variables then quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.). Generic functions like addslashes() are useful only in a very specific environment (e.g. MySQL in a single-byte character set with disabled NO_BACKSLASH_ESCAPES) so it is better to avoid them.
  • Do not print out any database specific information, especially about the schema, by fair means or foul. See also Error Reporting and Error Handling and Logging Functions.
  • You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.

Additionally, you can make use of Binding Parameters: http://php.net/manual/en/pdo.prepared-statements.php

<?php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>
Suing
  • 465
  • 4
  • 9