virtualAnon virtualAnon - 3 months ago 10
MySQL Question

PHP | Searching for the user and vulnerability for attacks

Introduction:

I am using MySQLi to prevent any further attacks to my website. I'm just a 13 y/o and a Grade 8 (2nd Year Highschool Student) starting here on PHP and MySQL "functions". I am using PHP 5.6.16, MySQL version of: 5.7.9, and using WAMP

Problem:



MySQL error # 1064 and SQLi vulnerability


How to "reproduce" the problem?

To "reproduce" the problem is, when you search for the user, add some weird characters. Like adding a " ') " character in the search box.

Suggestion on fixing this problem:

Sanitizing the text box input and prevent any weird or unrecognized characters to be "searched"

Screenshot:


Error Screenshoot

Codes:


<?php
# Essential files, please don't erase it!
require_once("../functions.php");
require_once("../db-const.php");
session_start();
?>
<html>
<head>

<script src="script.js" type="text/javascript"></script><!-- put it on user area pages -->
</head>
<body>
<h1> View Profile </h1>
<hr />
<?php
if (logged_in() == false) {
echo "<script> window.alert(\"Please login first!\"); </script>";
redirect_to("login.php");
} else {
if (isset($_GET['username']) && $_GET['username'] != "") {
$username = $_GET['username'];
} else {
$username = $_SESSION['username'];
}

## connect mysql server
$mysqli = new mysqli(localhost, root, "", loginsecure);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
## query database
# fetch data from mysql database
$sql = "SELECT * FROM users WHERE username ='".$username."' LIMIT 1";

if ($result = $mysqli->query($sql)) {
$user = $result->fetch_array();
} else {
echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
exit();
}

if ($result->num_rows == 1) {
# calculating online status
if (time() - $user['status'] <= (5*200)) { // 300 seconds = 5 minutes timeout
$status = "Yes";
} else {
$status = "No";
}

# echo the user profile data
echo "<title> View Profile of: {$user['username']} </title>";
echo " Account Searcher: <br>
<form action=\"?username=\" method=\"get\">
Unique ID: <input type=\"text\" name=\"username\" placeholder=\"Searching for user: {$_GET['username']}\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "Unique ID: {$user['id']}\n<br>Username: {$user['username']}\n<br>First Name: {$user['first_name']}\n<br>Last Name: {$user['last_name']}\n<br>Email: {$user['email']}\n<br>Online? $status\n<br>";
} else { // If user doesn't exists - trigger this event
echo " Account Searcher: <br>
<form action=\"\" method=\"get\">
Username: <input type=\"text\" name=\"username\" placeholder=\"User not found!\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "<title> User doesn't exists! | Prospekt </title> <p><b>Error:</b> User doesn't exist! Please register first!</p>";
}
}

// showing the login & register or logout link
if (logged_in() == true) {
echo '<a href="../logout.php">Log Out</a> | <a href="../home.php"> Go to Home </a>';
} else {
echo '<a href="../login.php">Login</a> | <a href="register.php">Register</a>';
}
?>
<hr />
</body>
</html>

Answer

You are sending the values directly into the database query before validating them which may cause dangers.To prevent sql injections there are inbuilt php functions like mysqli_real_escape_string(). being that said a complete better solution is using Php prepared statements with PDO..

In your code: when you are taking some data from user either from get or post variables do this

<?php

$uname=$_GET['username'];
//now validate
$username=mysqli_real_escape_string($conn,htmlspecialchars($uname));
//Now username is somewhat protected.so now use it for sql queries.

?>
Comments