Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

% secure 2

Status
Not open for further replies.
ThomasJSmart

ThomasJSmart

Programmer
Sep 16, 2002
634
Just thought i would mention it

when making a login/password system make sure you do something that stops a user from loging in with "%"

iv noticed that a lot of login/pasw tutorials dont mention this....... and it can make a login/pasw site totally insecure.



I learned a bit yesterday, today i learned a lot, imagine what i'll learn tomorrow!
 
Depending on how slack the person doing the set up/site was, its also possible to log in to places as root with no password too.

how hard is it to add this.

$username=str_replace('%','',$username);
// don't md5 the password before this.
$password=str_replace('%','',$password);
if(empty($password)){
echo "No password entered!":
exit;
}


______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.
 
I'm lost here. How does allowing '%' make a password-authenticated page or site insecure? I just tried it on my authentication script and it doesn't do anything. - - - And I'm not that smart when it came to making my authentication script. It was one of the first scripts I wrote and haven't updated it with my recent learning.

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?
 
% means anything, its like the wildcard *

if your password system is like this:

SELECT * from logins WHERE password=$pass && login=$login


then this should return 1 row where the login and pasw are correct:
$login = "name"
$pasw = "pasw"


however this will return any row:

$login = %
$pasw = %


this is like querying

SELECT * from logins WHERE password=anything && login=anything





I learned a bit yesterday, today i learned a lot, imagine what i'll learn tomorrow!
 
another thing iv seen is that ppl sometimes use this as a solution

if($pasw=="%"){ don't continue }else{ continue }

of course if a user then typed %% as a pasword it would continue....


the insecure % thing doesnt just alow users acces to a protected site but a user can do %a %b %c etc. to go through all the letters of the alfabet and thus see all the details of each account as these are shown in the protected area....



I learned a bit yesterday, today i learned a lot, imagine what i'll learn tomorrow!
 
K9logic:
In what database engine are you talking about?

In this query:

SELECT * from logins WHERE password=$pass && login=$login

"%" will not work as a wildcard in either position in MySQL. And to the best of my knowledge, neither is the character a wildcard in an equivalence comparison in PostgreSQL, SQL Server, or Oracle.

Only when using the LIKE operator in MySQL is "%" a wildcard. But if you wanted your query to be secure, you shouldn't have use LIKE in the first place.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
thats true, but it still happens :)

u wouldnt believe the amount of sites that are left open to intrusion with %



I learned a bit yesterday, today i learned a lot, imagine what i'll learn tomorrow!
 
I'm using MySQL and I cannot bypass anything by entering %. I'm not using LIKE in my SQL. ...so I am puzzled how this is a problem. Could it be the version of MySQL? Did earlier versions allow this security hole?

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?
 
I'm on 4.0.18 on XP, and im all ok. Can you tell us which site it fails on !!!!
 
It is not a flaw in MySQL. It is a logic flaw in some scripts which use the LIKE operator anywhere near passwords.

Since "%" only has any special meaning within the context of a LIKE operation, simply don't use LIKE. You shouldn't be using LIKE to check user credentials anyway -- do you want your user to provide exact credentials, or approximate credentials.

The very query K9logic posted is an example:

SELECT * from logins WHERE password=$pass && login=$login

For certain in MySQL and for fairly sure in most other RDBMs, "%" has no more meaning in the above query than "a" does.

The real security gotcha in the above query could more than likely be the missing quotes around the value for which the query is searching. That could lead to more security failures in more interesting ways than just "%".



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Very useful tip. While I didn't use LIKE for my passwords anyway, it was something that I indeed didn't think of as possible... I guess I'll have to spend some more time now thinking on other possibilities I might have forgotten. Thank you.

--------------------------------------
It's not the monsters under your bed, it is the men next door.
That make you fear, make you cry. Make you cry for the Child.
All the wars are fought amongst those lonely men. Unharmed, unscarred.
 
Status
Not open for further replies.

Similar threads

evil1966
  • Locked
  • Question
Opening Login page throws errors - Use of undefined constant SECURE & Cannot modify header infor
Replies
9
Views
708
evil1966
evil1966
basball
  • Locked
  • Question
Best place to install PHP for secure installation.
Replies
3
Views
125
spamjim
spamjim
davejam
  • Locked
  • Question
Secure a folder containing images, and use code to acces them!!!
Replies
4
Views
206
davejam
davejam
jedel
  • Locked
  • Question
Sending secure emails
Replies
2
Views
163
POPDUM
POPDUM
jet042
  • Locked
  • Question
Secure Install of PHP - What do you do? 1
Replies
3
Views
86
jpadie
jpadie

Part and Inventory Search

Sponsor

Back
Top