on linux, there is a prog named pam_mysql for authentication, but I have a concern regarding "clean" input. I made the queries get inserted into my log, and the query has strange characters in it:
ÀO^M^Hðß^RBassword FROM mailbox WHERE username='connect'
and
\220Ï^N^HÀu^N^H
There are also times when the query is empty, which seams impossible
This is obvoiusly attempts trying to break in, or viruses, but the special characters getting into the query concern me. the code utilizes mysql_escape_string on the input name, and I don't think it is doing everything needed... Here is the code excerpt:
Is there a good way to strip out unwanted characters? The usernames should only contain characters allowd in an email address (I use pam_mysql for email user auth)
This could also be a security issue because the query is supposed to read:
SELECT password FROM mailbox WHERE username='connect'
sorry for any terminology, I am a vb/perl/php programmer mostly, I don't do much C..
Thanks for any help...
Brian
ÀO^M^Hðß^RBassword FROM mailbox WHERE username='connect'
and
\220Ï^N^HÀu^N^H
There are also times when the query is empty, which seams impossible
This is obvoiusly attempts trying to break in, or viruses, but the special characters getting into the query concern me. the code utilizes mysql_escape_string on the input name, and I don't think it is doing everything needed... Here is the code excerpt:
Code:
escapeUser = malloc(sizeof(char) * (strlen(user) * 2) + 1);
if (escapeUser == NULL) {
syslog(LOG_ERR, "%s", "pam_mysql: Insufficient memory to allocate user escape string");
return PAM_BUF_ERR;
}
#ifdef HAVE_MYSQL_REAL_ESCAPE_STRING
mysql_real_escape_string(auth_sql_server, escapeUser, user, strlen(user));
#else
mysql_escape_string(escapeUser, user, strlen(user));
#endif
querysize = strlen("select from where ='' and ='' and ()") +
strlen(options.passwdcolumn) +
strlen(options.table) +
strlen(options.usercolumn) +
strlen(escapeUser) +
strlen(options.where);
sql = malloc(sizeof(char) * querysize);
if (sql == NULL)
return PAM_BUF_ERR;
snprintf(sql, querysize, "SELECT %s FROM %s WHERE %s='%s'",
options.passwdcolumn, options.table,
options.usercolumn, escapeUser);
/* escapeUser is no longer needed */
free(escapeUser);
if (strlen(options.where) > 0){
strncat(sql, " AND (", (querysize - strlen(sql)));
strncat(sql, options.where, (querysize - strlen(sql)));
strncat(sql, ")", (querysize - strlen(sql)));
}
mysql_query(auth_sql_server, sql);
free(sql);
result = mysql_store_result(auth_sql_server);
if (result == NULL) {
syslog(LOG_ERR, "%s", mysql_error(auth_sql_server));
mysql_free_result(result);
return PAM_AUTH_ERR;
}
if (mysql_num_rows(result) != 1) {
syslog(LOG_ERR, "%s", "pam_mysql: select returned more than one result");
syslog(LOG_ERR, "pam_mysql: %s", sql);
mysql_free_result(result);
return PAM_AUTH_ERR;
}Is there a good way to strip out unwanted characters? The usernames should only contain characters allowd in an email address (I use pam_mysql for email user auth)
This could also be a security issue because the query is supposed to read:
SELECT password FROM mailbox WHERE username='connect'
sorry for any terminology, I am a vb/perl/php programmer mostly, I don't do much C..
Thanks for any help...
Brian