Vulnerable to SQL injections - security

I'm doing a project to find vulnerable code. Is this code snippet vulnerable to SQL injection?
if(ISSET ($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = $conn->query("SELECT * FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());


Yes. Better use the parameterized query mode of Mysqli.
<?php
if (isset($_POST['user']) && isset ($_POST['pass'])) {
$user = mysql_real_escape_string ($_POST['user']),
$pass = mysql_real_escape_string ($_POST['pass']);
$conn = new mysqli("$db_host", "$db_user", "$db_pass", "$db");
$sql = "select * from admin where username=? and password=?";
$cmd = $conn->prepare($sql);
$cmd->bind_param("ss", $user, $pass);
$cmd->execute();
......
......
else {
echo "Username and password cant not be null !";
}
?>

Related

Issue while trying to validation encrypted password in CodeIgniter 4

Creation of database record
$encrypter = \Config\Services::encrypter();
$password = base64_encode($encrypter->encrypt("12345aA!"));
$data = [
"email_address" => "email#gmail.com",
"password" => $password,
"user_id" => 1
];
$query = "insert into tblusers(user_id, email_address, password)";
$query = $query . "Values(:user_id,, :email_address, :password)";
$this->db->query($query, $data);
$this->db->table("tblusers")->insert($data);
Validation of Password with database saved record
$encrypter = \Config\Services::encrypter();
$model = new UserModel();
$user = $model->where("email_address", "email#gmail.com")->first();
echo $encrypter->decrypt($user["password"]);
Approach 2 used but same error message comes
$encrypted_password = "Py02s1SOIlI/p6sSzqDCqgR81wXuXSSdrA5R8wnLs/SQDig0A2hXjvcn4TfYYaa+Xoq4sMt4gJF5Krec8U8G8fKcrrXsSxbSG3BS";
echo $encrypter->decrypt($encrypted_password);
Error Message
Decrypting: authentication failed.

It is because you're applying base64_encode(...) after encrypting your 'raw password'.
// ...
$password = base64_encode($encrypter->encrypt("12345aA!"));
// ...
But then, you forget to apply base64_decode(...) before decrypting the stored 'password hash'.
// ...
echo $encrypter->decrypt($user["password"]);
// ...
Solution:
Validation of Password with database saved record
$model = new UserModel();
$user = $model->where("email_address", "email#gmail.com")->first();
try {
$decryptedPassword = \Config\Services::encrypter()
->decrypt(base64_decode($user["password"]));
echo $decryptedPassword;
} catch (\CodeIgniter\Encryption\Exceptions\EncryptionException $encryptionException) {
log_message("error", $encryptionException->getMessage());
}
Extra Note(s):
I would recommend you use PHP's built-in secure hashing algorithms instead for this scenario.
password_hash(...)
password_verify(...)

How to check if login was successful and not redirect?

I am trying to prevent direct access to a rar file on my ftp server by using htaccess and redirecting it to a page where they can login and access the file after they successfully login. I have set this up like so:
.htaccess:
RewriteEngine on
Redirect /Downloads/file1.rar /loginAuth1.php
Redirect /Downloads/file2.rar /loginAuth2.php
loginAuth1:
if(isset($_POST['username']) && isset($_POST['password'])){
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, md5($_POST['password']));
$result = mysqli_query($con, "SELECT * FROM `users` WHERE `username` = '$username'") or die(mysqli_error($con));
if(mysqli_num_rows($result) < 1){
header("Location: loginAuth1.php?error=incorrect-password");
}
while($row = mysqli_fetch_array($result)){
if($password != $row['password']){
header("Location: loginAuth1.php?error=incorrect-password");
}elseif($row['status'] == "0"){
header("Location: loginAuth1.php?error=banned");
}else{
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['email'] = $row['email'];
$_SESSION['rank'] = $row['rank'];
header("Location: Downloads\file1.rar");
}
}
}
loginAuth2:
if(isset($_POST['username']) && isset($_POST['password'])){
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, md5($_POST['password']));
$result = mysqli_query($con, "SELECT * FROM `users` WHERE `username` = '$username'") or die(mysqli_error($con));
if(mysqli_num_rows($result) < 1){
header("Location: loginAuth2.php?error=incorrect-password");
}
while($row = mysqli_fetch_array($result)){
if($password != $row['password']){
header("Location: loginAuth2.php?error=incorrect-password");
}elseif($row['status'] == "0"){
header("Location: loginAuth2.php?error=banned");
}else{
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['email'] = $row['email'];
$_SESSION['rank'] = $row['rank'];
header("Location: Downloads\file2.rar");
}
}
}
What would be the best way to check if the user successfully logged in, and to stop the redirect as then the user can download the file?
Thanks.

A better way would be to check the authentication then just return the octet stream of the rar file contents and set the header type, size, and filename on success. That way you don't need to redirect to a non-protected file. See https://stackoverflow.com/a/8485963/7361251

script score function not working but addDecayFunction is working of FunctionScore query

I am using Elastica and going to use \Elastica\Query\FunctionScore(); function score --> script_score. Here addDecayFunction() woking fine but addScriptScoreFunction() not work and not through any exception.
DecyFunction is commented because it is working
Here is code
$scriptString = "doc['geo_location'].distanceInMiles('42.946697', '-76.113623')";
$script = new \Elastica\Script($scriptString);
$query = new \Elastica\Query\FunctionScore();
$query->addScriptScoreFunction($script);
// $locationOrigin = "32.804654, -117.242594";
// $locationScale = '2mi';
// $query->addDecayFunction(\Elastica\Query\FunctionScore::DECAY_GAUSS, 'geo_location', $locationOrigin, $locationScale);
$resultSet = $type->search($query);
$results = $resultSet->getResults();
$totalResults = $resultSet->getTotalHits();
if ( $totalResults > 0 ) {
echo "<b>Total Results Found are:</b> " . $totalResults . "<br>";
foreach ( $results as $result ) {
echo $result->getScore();
$data = $result->getData();
var_dump($data);
}
}

maybe you forget to enable scripts?
script.disable_dynamic: false

PHP variables not showing up. GETid not working properly

I have all the login scripts and profiles set up. I have a data table where all the profile information is stored called plus_signup but I can't seem to get this GET[id] thing to work. Am I missing something? Here's what I have.
When I view the page with the code I have now, there are blank areas where PHP is supposed to fill in the variables.
session_start();
include "include/z_db.php";
if ($_GET['id']){
$id = $_GET['id'];
} else if (isset($_SESSION['id'])) {
$id = $_SESSION['id'];
}
else {
print "important data to render this page is missing";
exit();
$sql = mysql_query("SELECT * FROM plus_signup WHERE id='$userid'");
while($row = mysql_fetch_array($sql)){
$userid = $row["userid"];
$name = $row["name"];
$location = $row["location"];
$sex = $row["sex"];
$aboutme = $row["aboutme"];
}
$check_pic = "users/$id/image01.jpg";
$default_pic = "users/0/image01.jpg";
if (file_exists($check_pic)){
$user_pic = "<img src=\"$check_pic\" width=\"175px\"/>";
} else {
$user_pic = "<img src=\"$default_pic\"/>";
}}

I know it's a little late and that you may have already figured out the answer to this question, but I was having the same issue and just figured it out.
Your SQL query is calling on a variable that has not been defined.
session_start();
include "include/z_db.php";
if ($_GET['id']){
$id = $_GET['id'];
} else if (isset($_SESSION['id'])) {
$id = $_SESSION['id'];
}
else {
print "important data to render this page is missing";
exit();
$sql = mysql_query("SELECT * FROM plus_signup WHERE id='$userid'");
while($row = mysql_fetch_array($sql)){
$userid = $row["userid"];
$name = $row["name"];
$location = $row["location"];
$sex = $row["sex"];
$aboutme = $row["aboutme"];
}
$check_pic = "users/$id/image01.jpg";
$default_pic = "users/0/image01.jpg";
if (file_exists($check_pic)){
$user_pic = "<img src=\"$check_pic\" width=\"175px\"/>";
} else {
$user_pic = "<img src=\"$default_pic\"/>";
}}
You are getting the 'id' from the url and storing it as $id. When you call your query, you are having it search for where ID = $userid when you really should be having it search for ID = $id.
Make sure that your variables are the same throughout!
^Hope that helps some people avoid an hour or two of frustration when trying to figure out why their function isn't working!

Drupal DB Query

I have a problem with a custom query in drupal:
$brief = db_query("SELECT * FROMdr_wiwe_profile_valuesWHEREfid= 16 ANDuid= 266");
This query returns resource(286) of type (mysql result) resource(562) of type (mysql result) .
What is wrong with my query?

loop over the db resource object
$dbh = db_query("SELECT * FROM dr_wiwe_profile_values WHERE fid=16 AND uid=266");
$results = array();
while($row = db_fetch_array($dbh)){
$results[] = $row;
}

Resources