Posted by Ignoramus20689 on 08/22/06 21:34

On Tue, 22 Aug 2006 08:50:44 -0700, Bill Karwin <bill@karwin.com> wrote:
> Ignoramus20689 wrote:
>> I am not a PHP expert (I do mod_perl), but it would seem that this
>> code is likely to be a good candidate for SQL injection attack.
>
> Possibly, unless $username and $password have been filtered already
> using mysql_real_escape_string
> (http://www.php.net/manual/en/function.mysql-real-escape-string.php) or
> something like it. We don't see the code (presumably in include.php3)
> that gets these values.
>
> I'd also be worried because it looks like they are storing passwords in
> clear text. They should store a hash of the password and compare the
> hash of what the user enters to what's stored in the database.

Also true. Possibly useful for "I lost my password" situations though,
though there are better ways to handle that.

> Also, are they forcing this page to connect via HTTPS? Otherwise,
> passwords are being sent over the net in clear text.

That is in fact true, the protocol is http://, not https://.

> To say nothing of the fact that they have allowed PHP code to be
> returned to the browser.

That, I think, is just some stupid misconfiguration. The other two
issues are those of design.

I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well. (though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).

I am not sure if I should bother writing to them. It is an auction
house doing industrial liquidations.

i

[Back to original message]