Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Hey why is my function not working here is the php code, its written in mysql_connect:
function isUserLoggedIn() {
global $conn;
$sql = "SELECT user_id, password FROM user
WHERE
user_id='" . fixstr($loggedInUser->user_id) . "'
AND
password='" . fixstr($loggedInUser->password) . "'
AND
active = 1
LIMIT 1";
$res = mysql_query($sql);
$rs = mysql_fetch_array($res);
if($loggedInUser($res) == NULL)
{
return false;
}
else
{
//Query the database to ensure they haven't been removed or possibly banned?
if(returns_result($sql) > 0)
{
return true;
}
else
{
//No result returned kill the user session, user banned or deleted
$loggedInUser->userLogOut();
return false;
}
}
}
The connection does return an active window but is not able to connect to any of the functions does anybody know why my code is not working?
$loggedInUser is not in the scope.
You can do one of the following:
inject $loggedInUser through method parameter.
Eg) function isUserLoggedIn($loggedInUser)
locally construct or define $loggedInUser.
Eg) $loggedInUser = (new LoggedInUserFactory)->buildLoggedInUser();
declare global $loggedInUser;
In addition to what Kita wrote, it's also not known whether $conn is valid, and perhaps if($loggedInUser($res) == NULL) should be $rs not $res? I don't know the function definition so I can't say for sure, but it looks like that's more likely
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I've been practicing security-related subjects and this challenge has befuddled me. Note: I can't access any PHP source code, nor can I edit it. I'm only able to view it.
The following is given:
I have two inputs, "user" and "pass"
After 30 times the form is sent, the salt, the hashes and the final solution change. So bruteforce isn't an option (sadly!)
#The bottom of the page (not shown in the code for some reason), it echos that it found 9 users (calling the getnumberofusers() function)
I've managed to extract this:
username = root
hashed password = 551e18b35e17017742a8ce4ed27f626e
Token (possibly salt?) = 0St31ez14wOT6jTh
What I've attempted thus far with unsuccessful results:
Using SQL injection, select a known MD5 collision as password and send its counterpart as "pass", however the salt is bothering this process. Clearly I couldn't bruteforce this because after 30 attempts the salt would change.
I tried finding the entire list of users but it doesn't print the output anywhere (only errors)
This is the code we receive:
<?php
//by Mawekl
//Objective: login as root.
//Objective is NOT:
// - Blind SQLI
// - Bruteforce password/salt/id
#WARNING
#ANTI-BLIND
#for every 30 queries
#all hashes, salt
#and final solution
#will be reset.
function getnumberofusers()
{
$q = "SELECT 1 FROM `sqlinjection1`";
$r = mysql_query($q);
return 'Number of users: ' . mysql_num_rows($r);
}
function getinfo($user)
{
$q = "SELECT `id`, `password` FROM `sqlinjection1` WHERE `username`='$user'";
$r = mysql_query($q);
if(!$r)
return mysql_error();
$r = mysql_fetch_array($r);
if(!$r)
return "Username doesn't exists.";
return $r;
}
function getfullinfo($id)
{
$q = "SELECT * FROM `sqlinjection1` WHERE `id`=$id";
$r = mysql_query($q);
if(!$r)
return mysql_error();
$r = mysql_fetch_array($r);
if(!$r)
return "What the hell?!";
return $r;
}
function confirmpassword($pass, $passcorrect, $salt)
{
$pass = md5(md5(md5($pass)).$salt);
return $pass===$passcorrect;
}
function challenge($user, $pass)
{
$info = getinfo($user);
if(!is_array($info))
return $info;
$confirm = confirmpassword($pass, $info['password'], $_ENV['ST_SALT']);
if(!$confirm)
return 'Wrong password!';
$info = getfullinfo($info['id']);
if(!is_array($info))
return $info;
$returnmessage = "Welcome " . $info['username'] . "!" . PHP_EOL .
$info['welcomemessage'] . PHP_EOL;
return $returnmessage;
}
?>
Any help is appreciated, and if you have any questions I'd love to clarify my question!
now we can select the welcome message/anything else using sql
$user="1' or exp(~(select * from (select welcomemessage from sqlinjection1 where username='user1')a)) or '1'='1"
but when we found a Secret token (that i wrote up there ^) hidden in the data base and tried using it this way:
The idea: select the hashed version as password using SQL injection so the hashes match.
Here's the code:
<?php
$salt = "v5IftFb0Tx1Jhp4b";
$hashed = "";
$p = "hello";
$hashed = md5(md5(md5($p)).$salt);
echo "The Query: " . "' AND 1 = 0 UNION SELECT `id`, '$hashed' AS `password` FROM sqlinjection1 WHERE `username` = 'root';#";
?>
It echoes the query which we put in the "username" field. In the "password" field we enter "hello".
However it's not working...
but it did not work, anyone has any idea what else can we do? How can we find out what / modify the $_ENV["ST_SALT"]? as appearently its not the secret token that we found
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
Hi i have little problem with if statements while checking if $GET values are sended. The problem is the following: If I run this code the variables in the second if condition becomes inserted but I cant get variables from the second if condition outside the second if condition. Why does that happening? I've already tried it with return but it wont work. What is the mistake?
$gameid = $_GET['gameid'];
$id = $_GET['id'];
$questionid = $_GET['questionid'];
if (isset($_GET['gameid'])) {
$answer = "answer_d";
}
if (isset($_GET['id'])) {
// insert values into mysql database
$answer = "answer_m";
}
then I want to echo the variable $answer in a <p> tag.
If I understand your question correctly then the issue is that the $answer variable doesn't exist outside of the scope of the if statements. Try defining $answer alongside your other variables such as $gameid and then updating the value within the if statements.
at first initialize the variable value. then you echo this variable after all condition then you understand which if block your code enter or not
$gameid = $_GET['gameid'];
$answer = '';
$id = $_GET['id'];
$questionid = $_GET['questionid'];
if (isset($_GET['gameid'])) {
$answer = "answer_d";
}
if (isset($_GET['id'])) {
// insert values into mysql database
$answer = "answer_m";
}
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I'm trying to implement a basic login functionality on my website. I'm using the following code to fetch data from database and see if the username and password is correct or not:
$STH = $conn->prepare("SELECT * FROM users WHERE uid = '$uid'");
$STH->bindParam(':uid', $uid);
$STH->bindParam(':pass', $pass);
$uid = $_POST['uid'];
$pass = $_POST['pass'];
if($STH->execute()) {
if($row = $STH->fetch()) {
if ($row['pass'] == $pass) {
echo "Logged in Successfully <br>";
} else {
echo "Username or Password Incorrect<br>";
}
} else {
echo "<script>alert('Incorrect Username');</script>";
}
}
}
However, I keep getting the error Incorrect Username even though it is in the database. This means that there is something wrong with how I'm fetching the data after executing the query but I can't understand what exactly.
I was using the prepared statements incorrectly. I wasn't really binding anything in the query. The correct implementation would have been:
$STH = $conn->prepare("SELECT * FROM users WHERE uid = :uid");
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
So I have a php authentication script and everything works fine. But I'm very unsure about the way I programmed it (I hardcoded some stuff) and I was hoping stack could look through this and point out any potential problems.
Here is the script:
<?php
require_once 'Bcrypt.php';
class Mysql {
private $conn;
function __construct() {
$this->conn = new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***') or
die('There was a problem connecting to the database.');
}
function verify_Username_and_Pass($un, $pwd) {
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
$query = "SELECT *
FROM Conference
WHERE Username = :un";
$stmt = $this->conn->prepare($query);
$stmt->bindParam(':un', $un);
//$stmt->bindParam(':pwd', $pwd);
$stmt->execute();
$row = $stmt->fetchAll();
$hash = $row[0]["Password"];
$is_correct = Bcrypt::check($pwd, $hash);
if ($is_correct) {
// User exist
$firstName = $row[0]["First Name"];
$_SESSION["FirstName"] = $firstName;
return true;
$stmt->close();
}
else {
// User doesn't exist
return false;
$stmt->close();
}
}
}
?>
So how does it look?
Without testing it out, i think your code should work, the usage of BCrypt looks reasonable. There are some points that could be improved of course, some are maybe a matter of opinion.
If your query doesn't return any row (because no such user name exists), you would access an invalid index $row[0]["Password"]. You should first ask, if there is a result, before using it.
Your call for closing the database is placed after the return statement, so it will never be executed. PHP will close the database automatically, so either close it before the return statement, or remove the line.
You named your function verify_username_and_password(), but actually it does also read from the database and writes to the session. These are hidden activities, another developer cannot know that the session changes unless he reads the whole code. One possibility to solve this problem would be, to split up the function.
untested example:
$userRow = getUserRowFromDatabase($userName);
if (!is_null($userRow))
{
if (verifyPassword($password, $userRow["Password"]))
{
addLoggedInUserToSession($userRow["First Name"])
}
}
Each of these three functions have only one problem to solve. This would make your code more readable, ideally it should be like reading a story in a book.
Hope i could give you some ideas.
You can actually use mysql to verify the hash for you
SELECT COUNT(*) FROM Conference
WHERE Username = :un
AND Password = ENCRYPT(:pass, Password)
LIMIT 1
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Why isn't this code working?
$welcome = mysql_query("SELECT welcome FROM users WHERE id = '" . $_SESSION['user']['id'] . "'");
if($welcome == '0')
{
echo 'register is 0';
}
else
{
echo 'register is 1';
}
$_SESSION['user']['id'] returns as 1, by the way.
MySQL returns a resource on success, false on error, not a value from the query. Try this:
$welcome = mysql_query("SELECT welcome FROM users WHERE id = '" . $_SESSION['user']['id'] . "'");
$row = mysql_fetch_assoc($welcome);
if($row['welcome']== '0')
{
echo 'register is 0';
}
else
{
echo 'register is 1';
}
You shouldn't build your query like that as you'll not be protected from a SQL Injection Attack.
$query = sprintf("SELECT welcome FROM users WHERE id = %d", $_SESSION['user']['id']);
// Perform Query
$result = mysql_query($query);
Once that has finished you then need to fetch from the result, you cannot just query it.
if(!$result)
echo "Error"; // Deal with it
$row = mysql_fetch_assoc($result);
echo $row['welcome'];
mysql_free_result($result);
According to MySQL documentation, the resource is returned if the select statement is successful, or 'false' if the statement fails.
Although there's a better, more secure way to achieve what you are trying to accomplish, your statement can be revised simply to :
if($welcome === false)
{
echo 'register is 0';
}
else
{
echo 'register is 1';
}
That will work, but as I said earlier, the whole code needs to be updated to a more secure version.