How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon
302 is the server's way of saying "I want you to go to [somewhere else]" (in this case login.php).
It is not an error but a perfectly normal response. Especially in your case it makes much more sense (if you ask me) to send the user to a login page after a SQL injection attempt than to let him in.
How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon
302 is the server's way of saying "I want you to go to [somewhere else]" (in this case login.php).
It is not an error but a perfectly normal response. Especially in your case it makes much more sense (if you ask me) to send the user to a login page after a SQL injection attempt than to let him in.
cakephp - sql injection test always shows failure
How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon
that error shows that the sql injection has been prevented. You don't need Sanitize for SQL injection, but for XSS.
SQL Injection - what else?
This:
$uid = $_POST['uid'];
$pass = $_POST['pass'];
Should be:
$uid = mysqli_real_escape_string($db_connect, $_POST['uid']);
$pass = mysqli_real_escape_string($db_connect, $_POST['pass']);
This way the variables become the escaped string else you just don't do anything to them.
And why do you use mysql_*
with mysqli_*
or pdo
?
Using prepared statements is good tough.
UPDATE
You could also add trim()
to remove useless spaces and strip_tags()
to remove all html tags:
$uid = mysqli_real_escape_string($db_connect, trim(strip_tags($_POST['uid'])));
$pass = mysqli_real_escape_string($db_connect, trim(strip_tags($_POST['pass'])));
so an input like: <b onClick="some javascript injection">Test</b> is this <u>striped</u>?
will become: Test is this striped?
How to prevent SQL injection in login page when SQL Server Compact Edition is used as a database
You have to pass the command that has the parameters defined and filled to the SqlCeDataAdapter, you have missed to do that.
change your code to below,
SqlCeConnection sqlcon = new SqlCeConnection();
sqlcon.ConnectionString = @"Data Source=dbLogin.sdf; password =rss900";
string query = "select * from [tblLogin] where username = @user AND password = @pass";
SqlCeCommand myCommand = new SqlCeCommand();
myCommand.Connection = sqlcon;
myCommand.CommandText = query;
myCommand.Parameters.Add("@user", txtUsername.Text);
myCommand.Parameters.Add("@pass", txtPassword.Text);
SqlCeDataAdapter sda = new SqlCeDataAdapter(myCommand);
DataTable dtbl = new DataTable();
sda.Fill(dtbl);
if (dtbl.Rows.Count == 1)
{
Main objfrmMain = new Main();
this.Hide();
objfrmMain.Show();
}
else
{
MessageBox.Show("Invalid Username or Password", "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Warning);
}
cannot perform sql injection on a unsecure form
You need to end the quote of the SQL in the posted username. And finish the final quote so its not a syntax error. Easy way is to make it into the 1=1 version in strings. ""=""
.
So:
" or ""="
I've tried SQL injecting my code which 'technically' should be vulnerable but it wont work
There are multiple ways to break your code; it is not secure. It doesn't have to be possible to execute a DROP
statement for your code to be unsafe.
For example, the function SignUp
is insecure. If the value of $_POST[email]
is ' OR 1=1 --
, then the authentication query becomes:
SELECT * FROM admin WHERE email = '' OR 1=1 --
(The --
is a common indicator of an attack; its purpose is to turn whatever follows into a comment.) This query will always return a result, because 1=1
is always true. So, your user will always be authenticated as an admin. This means newUser
gets called, the attackers data gets inserted into the admin
table, and you just lost control of your site.
MORAL: Always use prepared statements. Never directly insert a value that came from a user, could have come from a user, came from a database, came from an API, etc., directly into your SQL statements. Do not trust anybody (including yourself) when it comes to SQL injection, and use a prepared statement for every parameter or variable, every time.
You should read OWASP's guide to SQL injection issues, their SQL Injection Prevention Cheat Sheet, and their PHP Security Cheat Sheet.
Related Topics
Including PHP Variables in an External Js File
Setting $_Session Doesn't Work on Localhost Using Xampp
Calling a Controller Function in Another Controller in Codeigniter
Can Mongodb and Its Drivers Preserve the Ordering of Document Elements
Un-Encrypting/Re-Encrypting a Coldfusion Encrypted String in PHP
Set Multiple='False' in a Form in a Many to Many Relation Symfony2
Strip_Tags() Function Blacklist Rather Than Whitelist
PHP $String{0} VS. $String[0];
Check If Username Exists in MySQL Table via PHP
Mongodb Aggregate Query Using PHP Driver
Adding User Custom Field Value to Order Items Details
Check If Method Exists in the Same Class
Why Ob_Start() Must Come Ahead of Session_Start() to Work in PHP
PHP Remove/Fix Module Not Found or Already Loaded Warnings
Set Cart Item Price from a Hidden Input Field Custom Price in Woocommerce 3
Wherejsoncontains Laravel 5.6 Not Working