2

For a website vulnerabilities class we have been tasked with designing a php login with a mysql database that is intentionally exploitable. While I have some basic programming knowledge, and I have a "functioning" login page, I'm unsure how to make it insecure? That is, any SQL injection type queries I enter don't seem to be accepted, and when I run an add-on such as "SQL Inject Me", it also does not find any issues. I understand the concepts of how to sanitize user input, &_POST, querying the server, etc... But I haven't an extremely difficult time making it "hackable". Believe me, hours were spent tweaking and trying different things to no avail. I think I'm just having a hard time understanding this conceptually, so I'm perhaps not moving in the right direction.

If someone is willing to point me in the right direction, or give me some pointers, I would appreciate it.

These are basic SQL injection attacks I'm trying to make it vulnerable to here.

    <?php
session_start();
// store session data
$_SESSION['views']=1;
?>

    <?php
    //retrieve session data
    // echo "Pageviews=". $_SESSION['views'];
    ?>

<?php
// Create connection
$con=mysqli_connect("localhost","root","","logins");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  $i=0;
  $userName = $_POST['username'];
  $userPass = $_POST['password'];

$result = mysqli_query($con,"SELECT * FROM users");

while($row = mysqli_fetch_array($result)){
    if($_POST['username'] == $row['Username'])
    {
    $i++;}
    if($_POST['password'] == $row['Password'])
    {
    $i++;}
    }

if($i>1){
echo "Winner";
}
else{
echo "Loser";}
//echo $row['Username'] . " " . $row['Password'];
//echo "<br>";


  //echo "<br>";
  //echo $_POST['username'];
  //echo "<br>";
  //echo $_POST['password'];
 // echo "<br>";


?>

Another Method I'm Dabling with:

<?php
session_start();
// store session data
$_SESSION['views']=1;
?>

    <?php
    //retrieve session data
    // echo "Pageviews=". $_SESSION['views'];
    ?>

<?php
// Create connection
$con=mysqli_connect("localhost","root","","logins");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$verify = mysqli_query($con,"SELECT * FROM users");

while($row = mysqli_fetch_array($verify))
  {
    if (($_POST["username"] == $row['Username']) and ($_POST["password"] == $row['Password']))
        {
        echo "Winner " .$row['Firstname']." " .$row['Lastname'];
        }

        else
        {
        echo "Failure";
        }
    }

mysqli_close($con);
?>
Chip567
  • 31
  • 1
  • 2
    Your code isn't vulnerable to SQL injection because you don't have any input to your queries. Your queries are static `SELECT * FROM users`. To make them vulnerable you would need unfiltered input like `"SELECT * FROM users WHERE username='{$_POST['username']}'"` – Michael Berkowski Feb 15 '14 at 14:13
  • You should throw inputs directly to db in your query to make it unsecure and not jut use them in if condition. Check this usefull answer here http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Fabio Feb 15 '14 at 14:13
  • Wow, such fast responses! I'll give these a whirl! Thanks! – Chip567 Feb 15 '14 at 14:15
  • 2
    Great, you can log in with _anyone's password_ :-/ – Mat Feb 15 '14 at 14:15
  • wow... didn't even think about that Mat, guess that's a vulnerability in a of itself, lol. Thanks – Chip567 Feb 15 '14 at 14:17
  • Not sure this post deserved a downgrade in score considering I did put in much time and effort. But I appreciate those who did help – Chip567 Feb 15 '14 at 14:25
  • This login function is not vulnerable to SQL injection, but it will get slower and slower as your site gets more users, because it has to compare the current user's login against *all* the database entries to authenticate. You don't even break out of the loop when you find a match. – Bill Karwin Jun 03 '14 at 16:02

1 Answers1

2

For a piece of code to be open to SQL injection you simply need to take user input (typically from a form) and pass it to the database without escaping it.

As the input is not escaped the user can break out of the intended query.

The most basic example of this in PHP/MySQL is as follows:

$mysqli->query("SELECT * FROM some_table WHERE some_column = '{$_POST['some_field']}'");

In your example it would be passing the posted username/password to a database query without escaping it.

For protecting from SQL injection in mysqli you can either use real_escape_string or prepared statements.

For a login system generally it is best practise to query the database and see if a match is found rather than looping through every username and password stored to see if there is a match. Imagine if there were a million user accounts. That way you also don't need to transfer username/passwords from the database as you can just SELECT 1 and look at the number of rows returned. This makes for cleaner, faster, and more secure code.

Mitch Satchwell
  • 4,770
  • 2
  • 24
  • 31