-
October 28th, 2008, 06:25 AM
#1
MD5 Securing SQL Injections
So I was perusing google looking for PHP/MySQL anti-SQL injection scripts/tutorials and I came across a script where the author showed a script that would be "insanely secure" one of the things that he did was MD5 the uname and pword. That was all he did as far as filtering for user input.
The first comment, which sparked a large discussion, was that it was open to SQL injections. There was a lot of arguing as to whether or not it was free from SQL injections, but no one ever really concreted their case. Since no one would test it.
I haven't had a chance to set up anything to test this, but does anyone know from experience whether or not using the MD5 PHP function can stop a SQL injection? I am aware that MD5 is deprecated and not as secure as it once was, I have been able to google a few hashes myself and get the actual plain text, but I am still wondering if it would stop SQL injections.
Thanks,
Slart
-
October 28th, 2008, 04:08 PM
#2
In short, no it won't.
Somewhat longer version, input validation! Don't trust anything a clients sends you.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 29th, 2008, 01:34 AM
#3
Yup thats the number one rule :-)
-
October 29th, 2008, 03:26 PM
#4
That is what the author was saying, that by using MD5() on the username and password, that it was doing the filtering, which is why there could be no SQL injection. Which is what started the argument.
But is that a valid way to filter? I don't know if it sounds kosher to me, but it seems that encrypting the username and password fields would actually work, I don't know. He didn't use any other kind of filtering.
Last edited by Slartarama; October 29th, 2008 at 05:47 PM.
Reason: Spelling error
-
October 29th, 2008, 03:35 PM
#5
A linky to the original article might be useful. As he might have a point but without knowing what else is inputted there's no way to tell if it's enough..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 29th, 2008, 04:07 PM
#6
Originally Posted by Slartarama
That is what the author was saying, that by using MD5() on the username and password, that it was doing the filtering, which is why there could be no SQL injection.
Wrong.
I don't know if it sounds kosher to me, but it seems that encrypting the username and password fields would actually work, I don't know.
Unless you add your own salt...
All its going to do is slow people down from one defacement per thirty seconds to one defacement every thirty minutes. At that point, either way you've got little pink kittens dancing on your homepage.
-
October 29th, 2008, 05:46 PM
#7
Yeah, sorry I should have posted the link originally, here it is:
http://insanesecurity.wordpress.com/...-login-script/
-
October 29th, 2008, 08:55 PM
#8
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
October 30th, 2008, 01:26 AM
#9
Last edited by t34b4g5; October 30th, 2008 at 01:28 AM.
-
October 30th, 2008, 07:06 AM
#10
okay please forgive me, I read the SQL injection post, I am still lost. After reading this guy's script, I agreed with the first response that this is still open to SQL injection but I don't exactly follow why.
Something is just not right, a lot of people think in that post that the MD5() of the username makes it safe. I wrote a few PHP logins in my time but that was years ago I always used the filtering functions to filter user input and MD5 for the passwords. I'm sure if I looked back they would be out of date or heaven for fend I might have sites out there that are not really secure. I'm a rank amateur and I am very rusty.
So I know that MD5() (as dated as it is) encrypts the input in this case, but what exactly makes it open to injection? I have a feeling that it is wide open, especially judging from the original author's "teenage ranting" and the first response is from someone that seems to know what is going on, but well, it just seems off, so can someone explain it to me, I see that it would make an MD5 hash out of the injection if inputed, but would SQL see it as an MD5 hash or as "'OR 1=1-- " even though it is encrypted. Anyway that's where I am lost.
Thanks
Slart
Similar Threads
-
By mikester2 in forum Other Tutorials Forum
Replies: 5
Last Post: January 31st, 2005, 01:16 PM
-
By ch4r in forum Other Tutorials Forum
Replies: 5
Last Post: January 18th, 2005, 08:20 AM
-
By spools.exe in forum Microsoft Security Discussions
Replies: 0
Last Post: September 15th, 2003, 09:47 PM
-
By CXGJarrod in forum Microsoft Security Discussions
Replies: 0
Last Post: July 23rd, 2003, 10:00 PM
-
By s0nIc in forum AntiVirus Discussions
Replies: 2
Last Post: January 27th, 2003, 12:23 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|