http://php.net/mysql_escape_string
it is escaping a string to be used for a mysql_query
lets guess i want to bypass ur sequrety:
i would enter this password: ') OR TRUE LIMIT ('1
the folowing happens:
[php]$_POST[‘txtOldPassword’]="’) OR TRUE LIMIT (‘1";
$oldPassword="’) OR true LIMIT ('1";
$sql = “SELECT Password FROM tbl_customer WHERE Password = md5(’$oldPassword’)”;
// that means:
$sql = “SELECT Password FROM tbl_customer WHERE Password = md5(’’) OR true LIMIT (‘1’)”;
//this will alway select one row. i was able to pass the paswordcheck without knowing the password[/php]
mysql_escape_string converts ') OR TRUE LIMIT ('1
to ') OR TRUE LIMIT ('1
the resuls would be:
[php]$sql = “SELECT Password FROM tbl_customer WHERE Password = md5(’’) OR true LIMIT (‘1’)”;[/php]
now there is no way of using mysql-injection (that’s how it is called to put some sqlcode in a html-field to make the query act the way the hacker wants it to act)
best is u just remember to write ur $sql lines that way:
[php]/* GOOD/SECURE: */
$sql = ‘SELECT * FROM table
WHERE field
="’ . mysql_escape_string($variable) . ‘"’;
/* BAD/NOT SECURE: */
$sql = “SELECT * FROM table
WHERE field
=’$variable’”;
[/php]
is a little bit more of typing, but it’s worth it.
about error_reporting(E_ALL);
just put it as the first line of php-code:
[php]<?
error_reporting(E_ALL);
require_once ‘library/config.php’;
$errorMessage = ‘’;
$user = $_POST[‘user’];
$oldPassword = $_POST[‘txtOldPassword’];
$newPassword = $_POST[‘txtNewPassword1’];
…[/php]
[php]<?php
error_reporting(E_ALL);
require_once ‘library/config.php’;
if(isset($_SESSION[‘login_user’]) && $_SESSION[‘login_user’] == ‘ok’){
$user = $_SESSION[‘login_name’];
$id = $_SESSION[‘login_id’];
…[/php]
that’s not to do u any harm, it’s just making u debuggin much easyer.
lets take the script u posted, if u had putted that simple line at it’s top it would have returned:
Notice: Undefined variable: Username in /var/www/whatever.php on line 36
and line 36 was:
so it would have been much easyer for u to see that u had to change $Username to $user
error_reporting(E_ALL) is a big help. and so easy to put in there.
it should be the first thing to do when creating a new php-file.
hope this explains what i meant, if not just ask again.