Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 30
Guests Online: 28
Members Online: 2

Registered Members: 82825
Newest Member: bulmers
Latest Articles
View Thread

HellBound Hackers | Computer General | Increasing Security

Author

No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 21:53
If you use a script like this:

Code

$user=md5($_POST['user']);
$pass=md5($_POST['pass']);
#sql="Select * from users where md5(user)='".$user."' and md5(pass)='".$pass." LIMIT 1';





It's pointless to use any other security measure maybe except overflow testing. Encoding the input into md5 prevents any malicious characters from sneaking in.

Am I right?


Wisdom spared is wisdom squared.

Edited by ranma on 15-07-09 22:25
Author

RE: No point in addslashes etc

ynori7
Member



Posts: 1486
Location: #valhalla
Joined: 08.10.07
Rank:
God
Posted on 15-07-09 21:56
Nevermind, I misread.


halls-of-valhalla.org/images/affiliateLogo.png voodoorage.halls-of-valhalla.org/images/smallLogo.png
i537.photobucket.com/albums/ff338/ynori77/archenemysig1.jpg


Edited by ynori7 on 15-07-09 21:58
ynori7 http://halls-of-valhalla.org
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 22:02
I'm not sure what you wrote, but I encode into md5 before putting into query, so it should be fine.

Am I right?


Wisdom spared is wisdom squared.
Author

RE: No point in addslashes etc

ynori7
Member



Posts: 1486
Location: #valhalla
Joined: 08.10.07
Rank:
God
Posted on 15-07-09 22:12
Likely. Why don't you try it and see? That's the best way to find out.


halls-of-valhalla.org/images/affiliateLogo.png voodoorage.halls-of-valhalla.org/images/smallLogo.png
i537.photobucket.com/albums/ff338/ynori77/archenemysig1.jpg
ynori7 http://halls-of-valhalla.org
Author

RE: No point in addslashes etc

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 15-07-09 22:15
Don't use md5, salted or not salted. Too many collisions.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 22:17
ynori7 wrote:
Likely. Why don't you try it and see? That's the best way to find out.

That I will. However, I am not as experienced at sql injection as some other people on here.

Also, another question:

Since this method cannot be used for storing forum posts (you want them not-md5 hashed), could you simply use hex encoding to store posts in a db? Or would it increase the volume of the db too much (5 to 6 times as much)?


Wisdom spared is wisdom squared.

Edited by ranma on 15-07-09 22:24
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 22:20
About collisions: You could check for collisions at time of user creation.

About seeing plaintext, I agree, let me mod the code a bit:

Code

$sql="SELECT * from users where md5(user)='".$user."' and md5(pass)='".$pass."' LIMIT 1;";






Wisdom spared is wisdom squared.
Author

RE: No point in addslashes etc

ynori7
Member



Posts: 1486
Location: #valhalla
Joined: 08.10.07
Rank:
God
Posted on 15-07-09 22:22
ranma wrote:
Since this method cannot be used for storing forum posts (you want them not-md5 hashed), could you simply use hex encoding to store posts in a db?

Why? How is that easier than the alternative? You still have to sanitize the posts anyway since they get printed to the screen.


halls-of-valhalla.org/images/affiliateLogo.png voodoorage.halls-of-valhalla.org/images/smallLogo.png
i537.photobucket.com/albums/ff338/ynori77/archenemysig1.jpg
ynori7 http://halls-of-valhalla.org
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 22:26
Ok, how about you do strip tags and then you do hex encode?


Wisdom spared is wisdom squared.
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 22:27
MoshBat wrote:
ranma wrote:
That I will. However, I am not as experienced at sql injection as some other people on here.

Also, another question:

Since this method cannot be used for storing forum posts (you want them not-md5 hashed), could you simply use hex encoding to store posts in a db? Or would it increase the volume of the db too much (5 to 6 times as much)?


You're overcomplicating the most simple of things.

" or 1=1--
' or 1=1--

See, I can write those things, and the database it just fine.
I wonder how that's done...
Think!


I can do that easily, but some websites are immune to that but are vulnerable to others.

And my question stands. Could the md5 method be effectively used?


Wisdom spared is wisdom squared.
Author

RE: No point in addslashes etc

ynori7
Member



Posts: 1486
Location: #valhalla
Joined: 08.10.07
Rank:
God
Posted on 15-07-09 22:28
ranma wrote:
Ok, how about you do strip tags and then you do hex encode?

You're not thinking. Why would you waste the server's processor power to hex encode every post? What's the gain?


halls-of-valhalla.org/images/affiliateLogo.png voodoorage.halls-of-valhalla.org/images/smallLogo.png
i537.photobucket.com/albums/ff338/ynori77/archenemysig1.jpg
ynori7 http://halls-of-valhalla.org
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 15-07-09 22:33
1)

You're not thinking. Why would you waste the server's processor power to hex encode every post? What's the gain?

That's why I was asking.

2) Convert all applicable characters to HTML entities - Applicable doesn't mean ALL. Plus, look at the comments underneath. Some characters are wrongly encoded.


Wisdom spared is wisdom squared.
Author

RE: No point in addslashes etc


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-07-09 01:24
Sounds like overcomplicating a simple topic.


Author

RE: No point in addslashes etc


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-07-09 02:30
MoshBat wrote:
S1L3NTKn1GhT wrote:
Sounds like overcomplicating a simple topic.

I've already said that.


stfu. If i say something that you said i sound smart. Now sshhhh.


Author

RE: No point in addslashes etc

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 16-07-09 02:40
MoshBat wrote:
Okay. I'll just mock up some code for you...
Code
$user = addslashes(mysql_real_escape_string($_POST['user']));
$pass = md5($_POST['pass']);
$qwerty = mysql_query("SELECT * FROM users WHERE user = '$user' AND pass = '$pass'");
//next bit.





No point using mysql_real_escape_string AND addslashes, use one or the other (preferably mysql_real_escape_string)


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: No point in addslashes etc

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 16-07-09 03:29
MoshBat wrote:
There are holes in both. I like to be safe.


-_-



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: No point in addslashes etc

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 17-07-09 16:56
That's why I just use md5. Is it way more resource-intensive?


Wisdom spared is wisdom squared.
Author

RE: No point in addslashes etc

pimpim
Member



Posts: 45
Location: Reading your /etc/shadow
Joined: 26.10.08
Rank:
Newbie
Posted on 17-07-09 17:33
ranma wrote:
That's why I just use md5. Is it way more resource-intensive?

Yes it is. The algoritm looks like this.
Just use mysql_real_escape_string() and you'll be fine. I don't see any reason not to use the standard function(s) created to prevent SQL-injections.


www.hellboundhackers.org/sig/c/34966/blow me.png
sa.backman@hotmail.com
Author

RE: No point in addslashes etc


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-07-09 18:10
spyware wrote:
MoshBat wrote:
There are holes in both. I like to be safe.


-_-


personally that made me laugh. Pfft