0

I am editing someone else's PHP, and they have an 'authentication' system in which they are directly using post data in a conditional in code that looks like this:

if($database_password == $_POST['password']){ 
//access granted
}else{
//access denied
}

This doesn't look right, first of all, the password is stored in plaintext, but I am wondering whether the $_POST['password'] part is secure. I don't know if it is possible, but can't someone simply write '' OR 1==1 or something to gain access into the site? I am asking because I have to spend a significant amount of time in order to convince them that I need to introduce password rules and force every single user on the intranet to change their password to follow the new rules, especially when my task isn't supposed to involve editing this part of the code or the database.

Thanks!

Improve this question

7 Answers 7

Reset to default
2

As we can't see the rest of your code, all I can do is guess. If you are putting any sort of user generated content into a query (in this case, $_POST['password'] or a username perhaps), always use mysql_real_escape_string(). This will escape quotes so your input is safe.

If you're comparing variables in if() statements, you don't need to escape your input.

You should always encrypt your passwords. Always. Apart from being against the law in some places, it's incredibly insecure. You could even use SHA1 in MySQL queries if you don't want to do a lot of PHP.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

No that is not possible. A variable is an atomic unit and unlike for example in SQL it is not evaluated to a String and then executed.

Your example would simply be evaluated to the following which (in most cases) is false:

if ($database_password == " OR 1==1")
Improve this answer

1 Comment

This does not make any difference in this example.
1

Extremeley insecure...

Bad intended persons can become authenticated with: a boolean TRUE, or integer 0.
Source: http://php.net/manual/en/types.comparisons.php

Improve this answer

4 Comments

So you are saying ("password" == TRUE) or ("password" == 0) will evaluate to true? That's wrong. The second one would evaluate to true if the password is empty, but as $_POST always are Strings this is not possible in the example.
also note that your example is bad coding, for a simple security system try using SHA-512 (with keystretching, ignore this if they dont know how to correctly implement keystretching)
It is not my example, I just evaluated a string in it (if by "you" you meant me). Please tell me, what exactly you intend with "a boolean TRUE, or integer 0".
that comment was not intended as comment on your comment but as a comment on my answer. and yes you are right with your first comment on my answer, however on the size of fail in the given example (from David) it would be wise to note the fact of loose comparison vs strict comparison for his "intranet-developers"
0

No, with string comparison there is no danger of injection. But the "security" system is obviously to be rewritten.

Improve this answer

1 Comment

Yes, I understand that. I just never trust any user data, it's a lesson that I learned early on. I have an object with lots of miscellaneous string stripping functions, and I always use those on ANY user input, so seeing someone else using unfiltered user input right there, in a simple conditional, in that particular manner, was just disturbing. I just wanted to have a clear conscience if I leave it there.
0

it's secure, the password is only passed to the conditional if-else, not included to the Query. it will be in danger if you do this

mysql_query("SELECT user_id FROM table WHERE password='".$_POST['password']."'");
Improve this answer

1 Comment

this example is not safe, its not a strict comparison! see my post
0

Like people have said, there is no scope for SQL injection in here because there is no SQL in this code. For passwords, the one way I did sometime ago was to convert into an md5 hash by using md5() function before storing in the DB, and then during login convert the password to md5 and compare the two hashes. May be not the best way, but certainly more secure than this one.

Improve this answer

Comments

0

It is ok, since it's a string comparison. But generally, its just terrible.

<?php
if($database_password == true){ 
    echo "ACCESS";
}else{
   //access denied
}

Returns true.

Use the === operator to improve that code.

if("rd" === true){ 
    echo 3;
}else{
   //access denied
}

This would be false.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.