I took over maintenance of a PHP app recently and I'm not super familiar with PHP but some of the things I've been seeing on the site are making me nervous that it could be vulnerable to a SQL injection attack.
For example, see how this code for logging into the administrative section works:
$password = md5(HASH_SALT . $_POST['loginPass']);
$query = "SELECT * FROM `administrators` WHERE `active`='1' AND `email`='{$_POST['loginEmail']}' AND `password`='{$password}'";
$userInfo = db_fetch_array(db_query($query));
if($userInfo['id']) {
$_SESSION['adminLoggedIn'] = true;
// user is logged in, other junk happens here, not important
The creators of the site made a special db_query method and db_fetch_array method, shown here:
function db_query($qstring,$print=0) { return @mysql(DB_NAME,$qstring); }
function db_fetch_array($qhandle) { return @mysql_fetch_array($qhandle); }
Now, this makes me think I should be able to do some sort of SQL injection attack with an email address like:
' OR 'x'='x' LIMIT 1;
and some random password. When I use that on the command line, I get an administrative user back, but when I try it in the application, I get an invalid username/password error, like I should.
Could there be some sort of global PHP configuration they have enabled to block these attacks? Where would that be configured?
Here is the PHP --version information:
# php --version
PHP 5.2.12 (cli) (built: Feb 28 2010 15:59:21)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with the ionCube PHP Loader v3.3.14, Copyright (c) 2002-2010, by ionCube Ltd., and
with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies