Login page. Can make sql injection?

<?php include("sql.php"); session_start(); function Fix($str) { $str = trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $errmsg = array(); $errflag = false; $username = Fix($_POST['username']); $password = Fix($_POST['password']); if($username == '') { $errmsg[] = 'Username missing'; $errflag = true; } if($password == '') { $errmsg[] = 'Password missing'; $errflag = true; } if($errflag) { $_SESSION['ERRMSG'] = $errmsg; session_write_close(); header("location: login.php"); exit(); } $qry = "SELECT * FROM `users` WHERE `Username` = '$username' AND `Password` = '" . md5($password) . "'"; $result = mysql_query($qry); if(mysql_num_rows($result) == 1) { while($row = mysql_fetch_assoc($result)) { $_SESSION['UID'] = $row['UID']; $_SESSION['USERNAME'] = $username; session_write_close(); header("location: member.php"); } } else { $_SESSION['ERRMSG'] = "Invalid username or password"; session_write_close(); header("location: login.php"); exit(); } ?>

But the registration page code. Can they do sql injection and get a base or make changes to it?

 <?php include("sql.php"); session_start(); function Fix($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $errmsg = array(); $errflag = false; $UID = "12323543534523453451465685454"; $username = Fix($_POST['username']); $email = $_POST['email']; $password = Fix($_POST['password']); $rpassword = Fix($_POST['rpassword']); if(!eregi("^([0-9]{9})$", $username)) { $errmsg[] = 'Username missing'; $errflag = true; } if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[az]{2,3})$", $email)) { $errmsg[] = 'Invalid Email'; $errflag = true; } if($password == '') { $errmsg[] = 'Password missing'; $errflag = true; } if($rpassword == '') { $errmsg[] = 'Repeated password missing'; $errflag = true; } if(strcmp($password, $rpassword) != 0 ) { $errmsg[] = 'Passwords do not match'; $errflag = true; } if($username != '') { $qry = "SELECT * FROM `users` WHERE `Username` = '$username'"; $result = mysql_query($qry); if($result) { if(mysql_num_rows($result) > 0) { $errmsg[] = 'Username already in use'; $errflag = true; } mysql_free_result($result); } } if($errflag) { $_SESSION['ERRMSG'] = $errmsg; session_write_close(); header("location: register.php"); exit(); } $qry = "INSERT INTO `users`(`UID`, `Username`, `Email`, `Password`) VALUES('$UID','$username','$email','" . md5($password) . "')"; $result = mysql_query($qry); if($result) { echo "Благодарим Вас за регистрацию, " .$username . ". Пожалуйста, входите <a href=\"login.php\">сюда</a>"; exit(); } else { die("Ошибка, обратитесь позже"); } ?>
  • I didn’t see the injections either, but I agree with the answer, the code is terrible and it seems like even some of the checks are wrong - andreymal
  • I'm just wondering, but if you register with the nickname <script>alert(1);</script>nick and see the profile of this user by another user - what will he see? ) - BOPOH

1 answer 1

No, there is no specific injection in this code.

Despite this, this approach will not protect against injections in many other cases.

Besides, this code itself is just awful. Starting with the use of the mysql and eregi modules that are missing in the language, and ending with the fact that it has mixed up a bunch of unrelated and often meaningless checks.