I'am investigating a site that was written long ago by some PHP developer, and I'd like to know if the login technique he used was safe or not.
Here is the way he did it:
$username='';
$username = escapeshellcmd($HTTP_POST_VARS['user']);
$pwd = escapeshellcmd($HTTP_POST_VARS['pw']);
$loginerror=false;
if ($logout=="1")
{
closesession($s_id);
$username='';
$logged=false;
}
$logged=checksession(session_id(), $ipaddr);
if ((!$logged) && ($username!=''))
{
//$username = escapeshellcmd($HTTP_POST_VARS['felhasznalo']);
//$pwd = escapeshellcmd($HTTP_POST_VARS['jelszo']);
if (checkuser($username, $pwd, DOM))
{
if (sessionstore(session_id(), $username, $pwd, $ipaddr, $datum, DOM))
{
$logged=true;
}
}
else
{
$loginerror=true;
;
}
}
if ($logged)
{
$username=getsessionuser(session_id());
$remember=getremember($username, DOM);
}
?>
function checkuser($u, $p, $d )
{
$sql_ell='SELECT PWD FROM USERS WHERE A开发者_如何学运维CTIVE=1 AND USERNAME="'.$u.'" AND DOMAIN="'.$d.'"';
$eredm_ell= mysql_query($sql_ell);
if ($eredm_ell)
{
$domainnumrows=mysql_num_rows($eredm_ell);
if ($domainnumrows==1)
{
$egy_sor = mysql_fetch_row( $eredm_ell );
$pwd_in_table=$egy_sor[0];
if ($pwd_in_table==md5($u.$p))
{
return true;
}
} // rows
} // ered
return false;
} // func
Is this safe?
If I see correctly, the only check done on username is escapeshellcmd. That is NOT enough. Again, if I see correctly, it gets put into this query:
$sql_ell='SELECT PWD FROM USERS WHERE ACTIVE=1 AND USERNAME="'.$u.'" AND DOMAIN="'.$d.'"'
where you can do all sorts of nasties.
So no. it's not safe.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论