Login from Database


#1

Hi,

I downloaded a freeware login script, but have some issues with major security flaws and bugs. One thing I?ve noticed is that it?s not verifying the user names are unique when people register. I?ve tracked the problem down to the following lines of code:

    $sql = "SELECT username FROM ".$prefix."_users WHERE username='$HTTP_POST_VARS[username]'";
    $result = $db->query($sql);

    $sql2 = "SELECT email FROM ".$prefix."_users WHERE email='$HTTP_POST_VARS[email]'";
    $result2 = $db->query($sql2);

    $num = $db->num($result);
    $num2 = $db->num($result2);

    if(($num > 0) || ($num2 > 0)) {
        if($num > 0) {
           $display .= "<font class="text">That username is already taken. Please choose another one</font><br />";
           unset($HTTP_POST_VARS['username']);
        }
        if($num2 > 0) {
           $display .= "<font class="text">That email address is already in use. If you've already registerd, and forgot your password, please use the <a href="forgot.php">Password Recovery</a> system.</font><br />";
           unset($HTTP_POST_VARS['email']);
        }
}

If I try to register with a different user name, but the same email address as an existing user, I enter both the if($num2 > 0) AND if ($num > 0) cases. But if I try to register with just the same user name as an existing user, but a unique email address, neither case matches.

Unfortunately my knowledge of PHP and SQL databases is severally lacking, and nothing is immediately obvious to me what?s wrong, or even where to start looking.

Any ideas would be greatly appreciated.


#2

First - this is for working helpful snipets. You should have posted to general. (no biggy so don’t worry).

Second - the first problem I see is that it is looking for the individual parts rather then the 2 together. Combine your SQL queries into 1 (use AND in your WHERE clause). I don’t know how your Database is set up but you could also set the password to BINARY so it is case sensitive. Or simpler yet if you don’t know programming and don’t want to - look for a better script and use it.


#3

This also looks like it is succeptable to mysql injections

You can read more up on how to prevent injections here
http://www.netlobo.com/preventing_mysql_injection.html


#4

Admin Move from Code Snippets to General.