Jump to content

Mysql Injection Protect For Passwords..


CorgaE
 Share

Recommended Posts

Hi there, i have been thinking a bit. Atm ive just got a simple injection protection for my username and password field at the site. But there is a catch with it.in the password field if you want lets say: ajfds" as password. Thats not possible because it sets the password with slashes. Is there any way to fix so usersstill can use the characters in their passwords?All help is really appriciated!

Link to comment
Share on other sites

Are you saving the passwords verbatim - the actual string that someone enters? The easy way round it is to save only a hash of the password. That is, in PHP pick a hash, like sha1, and use it to scramble the password, and save the scrambled mess. To sign people in, scramble their login password and compare the hashes. That way you are protected from SQL injection and aren't storing passwords. Or, use MySQL's built in password algorithm, like this:"INSERT INTO users (password) VALUES (PASSWORD('".$_POST["password"]."')";Obviously that's a pretty lousy query :)

Link to comment
Share on other sites

Are you saving the passwords verbatim - the actual string that someone enters? The easy way round it is to save only a hash of the password. That is, in PHP pick a hash, like sha1, and use it to scramble the password, and save the scrambled mess. To sign people in, scramble their login password and compare the hashes. That way you are protected from SQL injection and aren't storing passwords. Or, use MySQL's built in password algorithm, like this:"INSERT INTO users (password) VALUES (PASSWORD('".$_POST["password"]."')";Obviously that's a pretty lousy query :)
The passwords are md5'md so there is no accually passwords in the database.
Link to comment
Share on other sites

And you still can't have slashes? Hm. Okay, I wouldn't have thought there'd be a problem.

Link to comment
Share on other sites

I don't see why that should be a problem. Say for example, the user takes a" as their password. To prevent injection, your code escapes the ", so the string is a\". That then gets concatenated into a query, for example ... VALUES("username", "a\""). The password is now in the database as a". So what is the problem?If you are storing your password as a hash in the database, as is best practice, then you should not be sanitizing it in the first place.

Edited by Synook
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...