security - Can you "SQL Inject" a PHP Variable Comparison? -

-

While working on an existing project, I am thinking of something when a simple variable comparison attacks "SQL injection" type attacks A user is entered.

My basic login feature works by using a statement prepared by the user in the given username and profile table. If any records have been found, then profile ID is received from the record and is used to view the user's password in any other permission table. If this query is successful then the password provided by the user is === with the password retrieved from the database.

So my question is, does a risk occur in the final phase? I have tried hacking it, like a '==' a '|| In an attempt to trigger the wrong way ' $ pass === $ checkPermRow [' pass'] but nothing seems to happen if you use the prepared statement and Ready to pass input as the parameter of the statement, are you safe?

Therefore it should not be possible to inject anything into the query. However, you should not keep the password in plain text, but should not use the proper hash function in an irreversible form as a hash.

For your question whether injection is also possible in PHP: Yes, code injection can occur in any code that is dynamically generated, even in PHP as well.

However, you just do not need to dynamically generate codes, but it must also be executed. PHP has some functions that execute PHP), e. Yes, however, you probably will not use such construction: 

  if (eval ("return '$ pass' === '$ checkPermRow [pass]'))") )

It will be weak and a a '==' a '|| 'A' will result in something like this: returns 'a' == 'A' || 'A' === 'Password from database';


Comments

Post a Comment

Popular posts from this blog

java - org.apache.http.ProtocolException: Target host is not specified -

-
I have written a simple httprequest / response code and I am getting this error below: I used to type in my classpath httpclient, httpcore, common -Codecs and general logging. I am very new to Java and I do not know what's going on here. Please help me. code: import org.apache.http.client.HttpClient; Import org.apache.http.client.methods.HttpGet; Import org.apache.http.HttpResponse; Import org.apache.http.impl.client.HttpClientBuilder; Import org.apache.http.Header; Import org.apache.http.HttpHeaders; Public class UnshorteningUrl {public static zero main (string [] args throws exception {HttpGet request = zero; HTTP Client Client = HTTP ClientBuilder.credit (). Build (); Try {Request = New HTTP Gate ("trib.me/1lBFzSi"); HttpResponse httpResponse = client.execute (request); Header [] header = httpResponse.getHeaders (HttpHeaders.LOCATION); // Preconditions.checkState (headers.length == 1); String new url = header [0] .getValue (); System.out.println ("new url...
Read more

java - Gradle dependencies: compile project by relative path -

-
Is it possible to specify a dependency on another gradeal project in the granular (in android studios) outside the current project limits? For example, with a relative path like this: dependence {collection project ('../../ stdlib / dagger'}} MyApp (path / user / foo / workspace / mypad) The app (Path / User / Foo / Workspace / MyPass / App) And I have an Android Library Project with 3 subdomules: stdlib (path is / user / foo / Utilities (Path / User / Foo / Workspace / Stadlib / Utilis) http (Path / User / Foo / Workspace / Stadlib / HT) / Li> What I have to do is compile the Dagger, Util, http module in the MyApp project. The Stidelib Library module under heavy development And MyApp will grow in the form of Growth, so I do not want to push them into a Mewen repository. I am a little change. is likely to add another Gredle projects in some way? I will push the study library into the Maven repository after the source is in search of a temp...
Read more

ruby on rails - Object doesn't support #inspect when used with .include -

-
So I have participated in a glitch error that I do not even know how to debug. I am very new to the railing, so it has kicked my ass well when I use the .includes (school) seen by the student, it gives a blue box error, But when I look at any other model and .includes (school) , the school works just fine. class student & lt; ActiveRecord :: Base has has_many: relationships, foreign_key: "liker_id", dependent :: has_many: matches, foreign_key: "student_1_id", dependent :: deleted belong_to: school belong_to: conference belong_to: would_you_rather belong_to: home city belong_to: year is_to: Major and class school & lt; on the console activatecord :: Affiliate for the base: conference includes: respondent, class: "school", foreign_key: "rival_id" (e.g. For: School) Select SQL generated Select "School". * "School" from "school" "ID" IN (1) error message back NoMethodError: u...
Read more