Use "anti_injection" in a MD5 password

Asked

Viewed 1,019 times

-2

I am studying a little more in depth the PHP and in question of security in PHP I have used the standard anti_injection found on the internet and used by many

function anti_injection($sql){
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"), "" ,$sql); // remove palavras que contenham sintaxe sql
$sql = trim($sql); // limpa espaços vazios
$sql = strip_tags($sql); // tira tags html e php
$sql = addslashes($sql); //  adiciona barras invertidas a um string
return $sql;

}

But when doing some tests in login system, I used an anti_injection in the password and then I converted it to MD5 to check the database, my password registered in the database was not giving me access to the system, when I thought of something: my password had * (asterisk) and in preg_replace() the anti_injection removes the asterisks

My question is: need to put anti_injection in a password, and it will pass MD5 before being compared in the query

    $senha = $_POST['senha'];
    $senha_md5 = md5($senha);

    $query = "SELECT * FROM usuarios WHERE login = '$usuario' AND senha = '$senha_md5' AND status = '1'";

You should use anti_injection but remove * (asterisk) from preg_replace or do not need to use anti_injection??

  • 5

    It is the second time I see this "anti Injection" here on the site. This code has no foot or head, and I remember that even in the original post, it has more criticism than anything. Even, at the time, the author himself commented that he did not know exactly what he was doing. Suggestion: delete this. PS: the mysqli extension already has its own function for this, is the mysqli_real_escape_string, or better than that, you can make a query prepared, and pass the values by bind. Update: I found a third mention here: http://answall.com/questions/74081/

  • So Bacco I studied the function and understood it yes, all the treatment made in it has sense: CLEAR THE EMPTY SPACES, REMOVE SQL COMMANDS, REMOVE HTML AND PHP TAGS AND FINALLY BACKSLASH If the person places inappropriate items that characterize SQL Injection will not login and will not succeed! The big detail for me would be the asterisk, but the MD5 would be no problem :)

  • 5

    There is no sense in it. It is no problem for you to have SQL commands in a string, as long as it is properly escaped. Banning certain texts is a completely senseless solution. I won’t insist too much, but I hope that in time you will understand that this is beyond unnecessary, sooner or later will cause problems.

2 answers

2


Following guy, as you are converting to md5 only this would already prevent the attack of sqlinjection, however the recommended is to use Prepared statements of PDO.

You’d have to treat the user in every way, and then you’d have problems with that.

Using the PDO would look something like this:

$query = "SELECT * FROM tabela WHERE username = ? and password = ?";
$stmt = $pdo->prepare($query);

$username = $_POST["username"];
$password = md5($_POST["password"]);

$stmt->bindValue(1, $username);
$stmt->bindValue(2, $password);

$ok = $stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);

Take a look at the PDO documentation: http://php.net/manual/en/class.pdo.php

It’s worth taking a look at.

  • I’ll take a look at the PDO then, I need... But until I solve this, I can use anti_injection in the login and password to keep only MD5 that already gives me a basic security?

  • 1

    Yes. When it passes the md5 function it will turn a string into md5.. this makes it impossible to add ' (quotes) or any other command to the string when hitting SQL. I believe :D

2

There is no need to convert or remove anything unless your business rule requires you to create a password with limitations. This, personally I find horrible because the more complex the password, the better. With this, I would only be discouraging the user to create safe passwords.

But anyway, that depends on your business model. Suddenly it can be a simple system where you will only allow alphanumeric passwords, or only numerical ones, anyway. But I don’t think that’s your case.

Returning to the subject, if the string will be compared as a hash, simply pass the string already converted to hash in the SQL query.

Let’s see in practice:

$senha = "'; delete from users; --"; // aqui temos uma injeção sql bem grosseira.
$query = "SELECT campo FROM tabela WHERE senha = '".$senha."'";

This will produce a query with an SQL injection:

SELECT campo FROM tabela WHERE senha = ''; delete from users; --'

Simple and logical way to solve

For your specific case, as I mentioned in the first sentence of this reply, no need to filter SQL injection.

An MD5 hash does not contain characters that could compromise the query with injections.

I’ll show you the reason with a simple example:

$senha = "'; delete from users; --"; // aqui temos uma injeção sql bem grosseira.
$query = "SELECT campo FROM tabela WHERE senha = '".md5($senha)."'";

The query produced will be:

SELECT campo FROM tabela WHERE senha = '9dc8014996ca2a4a67e2448a6c9821e0';

Simple as that. In the hash there is nothing to be filtered against SQL Injection.

Can see where there is something that could compromise an SQL query in this string 9dc8014996ca2a4a67e2448a6c9821e0?

Let’s evaluate the function you posted in the question:

function anti_injection($sql){
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"), "" ,$sql); // remove palavras que contenham sintaxe sql
$sql = trim($sql); // limpa espaços vazios
$sql = strip_tags($sql); // tira tags html e php
$sql = addslashes($sql); //  adiciona barras invertidas a um string
return $sql;

Translating:

It is not allowed to use the words from, select, Insert, delete, wherem, drop table, show Tables.

Using the characters is not allowed \, --, *, #.

No spaces allowed at start or end.

Using HTML, CSS, Javascript tags is not allowed

Finally, make an escape in quotes (double or single)

All these processes are unnecessary and meaningless.

The only useful process would be the addslashes(), however, I recommend that you read this link: addslashes is the basics for security?

Also read this: Using addslashes against SQL injection is safe?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.