| Author |
No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
If you use a scblockedript like this:
$user=md5($_POST['user']);
$pass=md5($_POST['pass']);
#sql="Select * from users where md5(user)='".$user."' and md5(pass)='".$pass." LIMIT 1';
It's pointless to use any other security measure maybe except overflow testing. Encoding the input into md5 prevents any malicious characters from sneaking in.
Am I right?
Wisdom spared is wisdom squared.
Edited by ranma on 15-07-09 22:25 |
|
| Author |
RE: No point in addslashes etc |
ynori7
Future Emperor of Earth
Posts: 1481
Location: #valhalla
Joined: 08.10.07
Rank: Diabolical |
|
Nevermind, I misread.
Edited by ynori7 on 15-07-09 21:58 |
 
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
I'm not sure what you wrote, but I encode into md5 before putting into query, so it should be fine.
Am I right?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: No point in addslashes etc |
ynori7
Future Emperor of Earth
Posts: 1481
Location: #valhalla
Joined: 08.10.07
Rank: Diabolical |
|
Likely. Why don't you try it and see? That's the best way to find out.
|
|
|
| Author |
RE: No point in addslashes etc |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
Don't use md5, salted or not salted. Too many collisions.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
|
ynori7 wrote:
Likely. Why don't you try it and see? That's the best way to find out.
That I will. However, I am not as experienced at sql injection as some other people on here.
Also, another question:
Since this method cannot be used for storing forum posts (you want them not-md5 hashed), could you simply use hex encoding to store posts in a db? Or would it increase the volume of the db too much (5 to 6 times as much)?
Wisdom spared is wisdom squared.
Edited by ranma on 15-07-09 22:24 |
|
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
About collisions: You could check for collisions at time of user creation.
About seeing plaintext, I agree, let me mod the code a bit:
$sql="SELECT * from users where md5(user)='".$user."' and md5(pass)='".$pass."' LIMIT 1;";
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: No point in addslashes etc |
ynori7
Future Emperor of Earth
Posts: 1481
Location: #valhalla
Joined: 08.10.07
Rank: Diabolical |
|
|
ranma wrote:
Since this method cannot be used for storing forum posts (you want them not-md5 hashed), could you simply use hex encoding to store posts in a db?
Why? How is that easier than the alternative? You still have to sanitize the posts anyway since they get printed to the screen.
|
|
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
Ok, how about you do strip tags and then you do hex encode?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
MoshBat wrote:
ranma wrote:
That I will. However, I am not as experienced at sql injection as some other people on here.
Also, another question:
Since this method cannot be used for storing forum posts (you want them not-md5 hashed), could you simply use hex encoding to store posts in a db? Or would it increase the volume of the db too much (5 to 6 times as much)?
You're overcomplicating the most simple of things.
" or 1=1--
' or 1=1--
See, I can write those things, and the database it just fine.
I wonder how that's done...
Think!
I can do that easily, but some websites are immune to that but are vulnerable to others.
And my question stands. Could the md5 method be effectively used?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: No point in addslashes etc |
ynori7
Future Emperor of Earth
Posts: 1481
Location: #valhalla
Joined: 08.10.07
Rank: Diabolical |
|
|
ranma wrote:
Ok, how about you do strip tags and then you do hex encode?
You're not thinking. Why would you waste the server's processor power to hex encode every post? What's the gain?
|
|
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
|
1)
You're not thinking. Why would you waste the server's processor power to hex encode every post? What's the gain?
That's why I was asking.
2) Convert all applicable characters to HTML entities - Applicable doesn't mean ALL. Plus, look at the comments underneath. Some characters are wrongly encoded.
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: No point in addslashes etc |
S1L3NTKn1GhT
Member
Posts: 468
Location: XXXX
Joined: 03.06.06
Rank: God
Warn Level: 10
|
|
Sounds like overcomplicating a simple topic.
root@wtf.org#su - dumbass
Dude you're AWESOME!
-SystemMeltdown(MSN)
|
|
|
| Author |
RE: No point in addslashes etc |
S1L3NTKn1GhT
Member
Posts: 468
Location: XXXX
Joined: 03.06.06
Rank: God
Warn Level: 10
|
|
MoshBat wrote:
S1L3NTKn1GhT wrote:
Sounds like overcomplicating a simple topic.
I've already said that.
stfu. If i say something that you said i sound smart. Now sshhhh.
root@wtf.org#su - dumbass
Dude you're AWESOME!
-SystemMeltdown(MSN)
|
|
|
| Author |
RE: No point in addslashes etc |
SySTeM
-=[TheOutlaw]=-
Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank: The Overlord |
|
MoshBat wrote:
Okay. I'll just mock up some code for you...
$user = addslashes(mysql_real_escape_string($_POST['user']));
$pass = md5($_POST['pass']);
$qwerty = mysql_query("SELECT * FROM users WHERE user = '$user' AND pass = '$pass'");
//next bit.
No point using mysql_real_escape_string AND addslashes, use one or the other (preferably mysql_real_escape_string)
|
|
|
| Author |
RE: No point in addslashes etc |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
|
MoshBat wrote:
There are holes in both. I like to be safe.
-_-
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: No point in addslashes etc |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
That's why I just use md5. Is it way more resource-intensive?
Wisdom spared is wisdom squared. |
|
|
| Author |
RE: No point in addslashes etc |
pimpim
Member
Posts: 45
Location: Reading your /etc/shadow
Joined: 26.10.08
Rank: HBH Guru |
|
|
ranma wrote:
That's why I just use md5. Is it way more resource-intensive?
Yes it is. The algoritm looks like this.
Just use mysql_real_escape_string() and you'll be fine. I don't see any reason not to use the standard function(s) created to prevent SQL-injections.
 |
|
| Author |
RE: No point in addslashes etc |
S1L3NTKn1GhT
Member
Posts: 468
Location: XXXX
Joined: 03.06.06
Rank: God
Warn Level: 10
|
|
spyware wrote:
MoshBat wrote:
There are holes in both. I like to be safe.
-_-
personally that made me laugh. 
root@wtf.org#su - dumbass
Dude you're AWESOME!
-SystemMeltdown(MSN)
|
|
|
Main:
