3

In a sign up / login form , we validate user input like username and email and make sure that it does not contain any special character . my question is about the Password input field . Is it possible to inject sql query using password input field? because we allow user to add special characters to it.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Ali
  • 49
  • 5
  • 4
    Yes it is perfectly possible if you don't protect against it. Use [prepared statements](https://en.wikipedia.org/wiki/Prepared_statement). – Phylogenesis Feb 02 '18 at 12:01
  • 1
    Yes, it is possible. To prevent your database from hacking, try to use MySQLi or PDO. – Rohit Singh Feb 02 '18 at 12:01
  • just use prepared statements and you can (almost) forget about sql injections. – Franz Gleichmann Feb 02 '18 at 12:01
  • Although you should always use a prepared statement, the possible contents of a hashed password depend on the hashing algorithm used. You are hashing your passwords, right? – jeroen Feb 02 '18 at 12:02
  • use prepared statements and parameterise _all_ your input fields. – ADyson Feb 02 '18 at 12:27
  • 2
    @jeroen *"You are hashing your passwords, right?"* --- one would hope so ;-) – Funk Forty Niner Feb 02 '18 at 12:52
  • 1
    @JorgeCampos about the possible duplicate; for the injection part, yes. However, that Q&A does not talk about manipulating passwords and what escaping does for injection characters or any other that MySQL may complain about ;-) which is the basis of the question. – Funk Forty Niner Feb 02 '18 at 12:54
  • @FunkFortyNiner One would hope so but then again, one would not have to ask the question if that were the case ;-) – jeroen Feb 02 '18 at 12:55
  • @jeroen agreed. – Funk Forty Niner Feb 02 '18 at 12:55
  • 2
    @jeroen yep I am and thanks for the reply :) – Ali Feb 02 '18 at 13:02
  • @FunkFortyNiner makes no difference if the field is a password, a number, or even an image. The subject of the question is the sql injection which using proper prepared statements would prevent it no matter what the input is. That's why I marked it as a duplicate. – Jorge Campos Feb 02 '18 at 16:29
  • I understand @Jorge TBH though, I could have hammered it but chose not to since I felt that the injection part of it was only part of the question (in all fairness to it also) and felt it deserved an answer for it, given and as I mentioned earlier, that the possible duplicate does not address the manipulation of passwords and the possible failure of escaping them if and when a password were to contain characters such as an apostrophe. – Funk Forty Niner Feb 02 '18 at 16:32
  • @FunkFortyNiner I understand your point! :) – Jorge Campos Feb 02 '18 at 16:43
  • 1
    Thanks @Jorge *cheers* – Funk Forty Niner Feb 02 '18 at 16:43
  • @NewProgrammer I'm curious. Were you using any type of escaping such as `mysqli_real_escape_string()` or a prepared statement before/during the time of your posting? or which api is used to connect with also. – Funk Forty Niner Feb 03 '18 at 13:52
  • @FunkFortyNiner no I wasn't but have done password hashing before and was so dumb to understand that if the input from password field is being hashed then it's safe from sql injection. To clear my misconception , I've posted question here . (PS sorry for my poor communication skills , I'm a newbie programmer and still learning basic concepts of web development ) thanks for your time :) – Ali Feb 03 '18 at 15:37
  • @NewProgrammer Ok thanks. Thing is, a few are questioning my answer and the question itself of sorts. They had closed the question as being sql injection exclusive and that isn't what the question was about, not entirely anyway and feel that it was misinterpreted as such, which is why I reopened it afterwards. Your question wasn't dumb; you just didn't know and that's why I posted my answer in order to clarify things for you and possibly for others who also may not know. You're also most welcome. – Funk Forty Niner Feb 03 '18 at 15:42
  • 1
    @FunkFortyNiner I've also read that possible duplicate question before posting .. didn't find what I was looking for there .. as you know sql injection is on the top of OWASP list and can't be resolve by few Q/As .its funny sql injc is no big deal and still responsible for >80% attacks..The topic is deep, a single question can have multiple meanings.First I thought my question's gonna be deleted or will get negative votes by respected programmers just like before but this time, you saved my azz :p , thanks for giving me the confidence to post here. its first time that my Q got attention .. – Ali Feb 03 '18 at 16:18
  • @NewProgrammer lucky I still have the tab opened *lol!* - otherwise I'd of not seen your new comment above. Always ping ;-) unless it wasn't intended for me exclusively, but as a general comment ;-) edit: welcome. – Funk Forty Niner Feb 03 '18 at 16:20
  • @FunkFortyNiner my bad I'm not familiar with this site lol Is there any way to stay in touch with you? – Ali Feb 03 '18 at 16:27
  • @NewProgrammer No, sorry. Some do give out their email address or post it in their profile, but not me and most don't neither and for too many reasons. If you ever have a new question, don't hesitate to post one. Chances are I'll see it if it's tagged as php and/or mysql. Those are the tags I follow mostly. – Funk Forty Niner Feb 03 '18 at 16:29
  • :( okay thanks @FunkFortyNiner – Ali Feb 03 '18 at 16:33

1 Answers1

5

my question is about the Password input field
Is it possible to inject sql query using password input field?

Not if you use a prepared statement.

However, both password_hash() and password_verify() already take this into account and you should not be manipulating passwords or limiting them.

This is something you should be using in this day and age.

If you escape a password that contains a quote for instance John'sPlace, that will be modified to John\'sPlace which in turn and if you use the hashing methods as stated, will fail silently on verification.

Even if a potential hacker were to try something like: String'); DROP TABLE USERS; -- into the password input, that would still be entered as a hash into the database, when using password_hash() of course.

Something like $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a (example hash pulled from the manual) can't do any harm.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • @FrankerZ I think you should read the comments area and the question again and very carefully. The question wasn't about that, it was about passwords. – Funk Forty Niner Feb 02 '18 at 20:06
  • Let's see here, 1. "Use a prepared statement". (Bullet point 1 on that post: Use prepared statements and parameterized queries.) 2.A password field is nothing more than a regular input field when concerned with the backend. If you wish to add to the duplicate list, add [this](https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) or one of the other 50 duplicate questions. – Blue Feb 02 '18 at 20:11
  • @FrankerZ There was far more at stake than just sql injection. The post should have been written differently. Forget the prepared statement stuff; I know that quite well and they themselves (the OP) does not know what escaping passwords does. – Funk Forty Niner Feb 02 '18 at 20:11