-1

Possible Duplicate:
Best way to stop SQL Injection in PHP

My login script is being hacked (the hacking can bypass the login and get into the members section).

Here is my login:

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table width="450px"><tr><td>
<?php 
if(isset($_POST['login']))
{   

$user= mysql_real_escape_string($_POST['username']);
$user22 = strip_tags($user);
$pass= mysql_real_escape_string($_POST['password']);
$pass2 = strip_tags($pass);
$pass1 = md5($pass2);

$mod = 1 ;

$sql = "SELECT * FROM users WHERE username='".$user22."' AND password = '".$pass1."'";
$result = mysql_query($sql) or die(mysql_error());
$battle_get = mysql_fetch_array($result);

if ( $battle_get['mod'] == 1 ) {
                $month = time() + 3600*24*30;
                $hour = time() + 3600*1*1;
                $LastLogin = date('l, M d, Y H:i:s');
                $_SESSION['user'] = $_POST['username'];
                setcookie("save_user", stripslashes(htmlentities($user22)), $hour); 
                setcookie("save_pass", stripslashes(htmlentities($user22)), $month);
                $username = stripslashes(htmlentities($user22));
                $result = mysql_query("UPDATE users SET LastLogin = '$LastLogin' WHERE username='$username'");
                header("location: home.php"); 
}

}
?></td></tr></table>
<ul><li class="topper" style="width:410px;"></li>
<table>
<tr><td>Username</td><td><input type="text" name="username" id="textfield"></td></tr>
<tr><td>Password</td><td><input type="password" name="password" id="textfield"></td></tr>
</table><li class="bottomer" style="width:410px;"></li></ul>
<table><tr><td><input type="submit" name="login" value="login" id="button"></td></tr></table>
</form>

And then in my config file i have this code which stops the user from changing IP each login etc.

if(isset($_SESSION['last_ip']) == false){
    $_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
    }

    if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']){

    session_unset();
    session_destroy();

    }

if(empty($_SESSION['user'])){
         echo"Please login into the rpg first" ;
         die;
}

I inculde the config file (the code above) on every page the if is empty stops the users from viewing in side the site... The hacker is telling me he is using sql to get in.....

What am I doing wrong?

Community
  • 1
  • 1
user1405062
  • 85
  • 1
  • 1
  • 8
  • I would recommend to read [Best way to stop SQL Injection in PHP][1] [1]: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php – Moyed Ansari May 25 '12 at 18:41
  • How do you know the password wasn't brute-forced? Are you sure they're hacking the script, or did they just guess the proper username and password. – Kibbee May 25 '12 at 18:45
  • There is a ton of SQL Injection discussions going on with people not protecting them properly :/ – Aaron F. May 25 '12 at 18:51
  • Well they told me they go in though sql – user1405062 May 25 '12 at 19:56
  • 1
    Please stop writing new code with the ancient `mysql_*` functions. They are no longer maintained and community has begun the [deprecation process](http://goo.gl/KJveJ) . Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you cannot decide, [this article](http://goo.gl/3gqF9) will help to choose. If you care to learn, [here is a good PDO-related tutorial](http://goo.gl/vFWnC). – vascowhite May 25 '12 at 20:05

5 Answers5

2

He is using SQL injection. He is changing the $_POST of 'username' to something like

"username; OR 1=1"

and because 1=1 is "true", it lets him in. You are not protected from the ";"

Theres lots of information around about SQL injection and how to protect yourself.

Laurence
  • 58,936
  • 21
  • 171
  • 212
2

The line 

$sql = "SELECT * FROM users WHERE username='".$user22."' AND password = '".$pass1."'";

is dangerous (SQL injection), I recommend you to use prepared statements with PdoMySQL.

See http://www.php.net/manual/en/ref.pdo-mysql.php

Gilles Quénot
  • 173,512
  • 41
  • 224
  • 223
0

Look into Sql Injection, and view examples here: http://www.unixwiz.net/techtips/sql-injection.html

Your specific sql looks like:

$sql = "SELECT * FROM users WHERE username='".$user22."' AND password = '".$pass1."'";

This is ripe for sql injection.

Have a look at some of the following:

These were just a few of the top links when searching for how to prevent sql injection attacks in php.

Seth Flowers
  • 8,990
  • 2
  • 29
  • 42
  • 1
    $user is obtained from mysql_real_escape_string($_POST['username']); so it should already be escaped. However is it possible that striptags is causing somethign that's escaped to be unescaped. Although I doubt it. – Kibbee May 25 '12 at 18:40
  • How would i change that ?? Because everything is escaped – user1405062 May 25 '12 at 18:45
0

Read a little about SQL injection here.

Fahim Parkar
  • 30,974
  • 45
  • 160
  • 276
Darwin
  • 62
  • 2
  • 8
0

please take a look to this post.

He explain about sql injection and mysql_real_escape_string();

Community
  • 1
  • 1
jcho360
  • 3,724
  • 1
  • 15
  • 24