3

2 days ago, a hacker got into a Admin Account. He told us that login.php is vulnerable.

But I can't find out how as I escaped the inputs:

$salt      = '78sdjs86d2h';
$username = mysqli_real_escape_string($DB_H, addslashes($_POST['username']));
$password = mysqli_real_escape_string($DB_H, addslashes($_POST['password']));
$hash1 = hash('sha256', $password . $salt);
$hash = strtoupper($hash1);

$check = mysqli_query($DB_H, "SELECT * FROM players WHERE Name='$username' && Password = '$hash'");

if(mysqli_num_rows($check) != 0)
Panda
  • 6,955
  • 6
  • 40
  • 55
State Valentin
  • 37
  • 4
  • Looks fine to me , although you can improve it .. read php docs it will help you a lot – Bader Mar 20 '16 at 03:49
  • Maybe the hacker guessed the password? Or it's some other part of the code – Déjà vu Mar 20 '16 at 06:06
  • In addition to what YourCommonSense said, you should probably learn [how to safely store a password](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016). – Scott Arciszewski Mar 20 '16 at 13:49

4 Answers4

2

Unless you are using some peculiar encoding, the code you posted, although it makes very little sense, is invulnerable to SQL injection. It will rather don't let a honest user to login, but there is no way to hack it through SQL injection.

The vulnerability were of the other kind, XSS for example.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
2

Its better to use prepare statements to avoid sql injection. For example

 $check = mysqli_query($DB_H, "SELECT * FROM players WHERE Name='$username' && Password = '$hash'")

use it like this 

 $check = $DB_H->prepare("SELECT * FROM players WHERE Name=? && Password = ?")
 $check->bind_param('ss',$username,$hash);
 $check->execute();
Waleed Ahmed Haris
  • 1,229
  • 11
  • 17
0

Test with this:

$sHost = 'localhost';
$sDb = 'test';
$sUser = 'user';
$sPassword = 'password';

$oDb = new PDO("mysql:host={$sHost};dbname={$sDb}", $sUser, $sPassword);

$salt = '78sdjs86d2h';
$username = $_POST['username'];
$password = $_POST['password'];

$hash1 = hash('sha256', $password . $salt);
$hash = strtoupper($hash1);

$sSql = 'SELECT * FROM players WHERE Name = :username AND Password = :password';

$oStmt = $oDb->prepare($sSql);
$oStmt->bindParam(':username', $username, PDO::PARAM_STR);
$oStmt->bindParam(':password', $hash, PDO::PARAM_STR);

if($oStmt->execute()){
    $oRow = $oStmt->fetch(PDO::FETCH_OBJ);
    if(false === $oRow){
        echo 'User or password not valid';
    } else {
        echo 'Uer and password valid!!!';
    }
} else {
    echo 'Error';
}
Mauricio Florez
  • 1,112
  • 8
  • 14
-1

Instead of these mysqli functions go for using PDO statements. Here is reference PHP PDO Documentation

Rohit Awasthi
  • 686
  • 3
  • 12
  • I'm trying to use it but its always giving me 500 error :( i can't use that i have no idea why ... – State Valentin Mar 20 '16 at 03:55
  • I deleted it 1 hour ago after many fails, now i really have no idea what to do ... that guy said 'the login.php script is the one vulnerable' .. but as can you guys said 'its seems fine' ...what should i do to stop the 'sql injection' ?.. – State Valentin Mar 20 '16 at 04:11
  • 1
    The real question is why OP's code would be vulnerable? (if it is at all) – Déjà vu Mar 20 '16 at 06:05