sql >> Databasteknik >  >> RDS >> Mysql

PHP-funktion fungerar bara en gång

Eftersom denna fråga handlar om säkerhet.

Använd inte mysql_*-biblioteket. Det är väldigt sårbart för sql-injektion, speciellt hur du använder det. Och den är utfasad.

Låt oss anta att jag skickar [email protected]

I din kod

$domain = $emailsep[1];   // will equal "gmail.com"

Låt oss nu säga att jag injicerar den med sql-injektion, eftersom jag skickar [email protected] är ganska tråkigt, nu är det inte.

Jag kommer att ha mycket roligt i den här kodraden som följer:

$domaincheck = mysql_query("SELECT * FROM xxxxxxx WHERE domain = '$domain'", $link);

Läs det här och detta .

Och använd mysqli eller pdo enligt ordination av dessa läkare.

Redigera:

nu tillbaka till frågan du hade i åtanke

en php-fil

<?php
    date_default_timezone_set('America/New_York'); // required something here else exception below
    //error_reporting(E_ALL);
    //ini_set("display_errors", 1);
    //require '1error_2shutdown_3log.php';  // 1. err hndlr, 2. shutdown hndlr, 3. log it somehow


    $b='<br/n>';    // great name huh ?
    $b2='<br/n><br/n>'; // great name huh ?
    echo "The time is " . date("h:i:sa").$b;
    echo "s01".$b;
    try {
            echo "s02".$b."--------------------------------------------------------------------------".$b;




        //$email = $_POST['emailreg'];
        //$firstna = $_POST['firstna'];
        //$surna = $_POST['surna'];
        //$password = $_POST['passreg'];
        //$passconfirm = $_POST['passconfirm'];
        //$userpass = $email . $password;
        //$emailsep = explode("@", $email);
        //$domain = $emailsep[1];

        $email = "[email protected]";
        $firstna = "Drew";
        $surna = "Pierce";
        $password = "secure";
        $passconfirm = "secure";
        $userpass = $email . $password;
        $emailsep = explode("@", $email);
        $domain = $emailsep[1];

        $key = md5('united');   // don't use md5
        $salt = md5('united');  // don't use md5

        function encrypt($string, $key) {
            $b='<br/n>';    // great name huh ?
            $b2='<br/n><br/n>'; // great name huh ?

            # come up with a good key, beyond the scope of this Question
            $key = pack('H*', "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3"); #32 bytes
            $key_size =  strlen($key);
            echo "Key size: " . $key_size . $b; # 32, big surprise

            # create a random IV to use with CBC encoding
            # yes each time
            $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);    // using ECB cuz u were
            $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);          

            echo "in encrypt() passed <b>",$string,"</b> and <b>",$key.'</b>'.$b;

            $rawEncrypted=mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_ECB,$iv);
            # prepend the IV for it to be available for decryption
            $rawEncrypted = $iv . $rawEncrypted;
            $b64Encrypted= base64_encode($rawEncrypted); # <------- RIGHT HERE WE ARE DONE

            # basically we are done encrypting, could just return $b64Encrypted and be done with it
            # but no

            #########################################################################
            # lifted from manual page btw: http://php.net/manual/en/function.mcrypt-encrypt.php
            # do an assert that you can decrypt for a sanity check
            $ciphertext_dec = base64_decode($b64Encrypted);

            # retrieves the IV, iv_size should be created using mcrypt_get_iv_size()
            $iv_dec = substr($ciphertext_dec, 0, $iv_size);

            # retrieves the cipher text (everything except the $iv_size in the front)
            $ciphertext_dec = substr($ciphertext_dec, $iv_size);

            # may remove 00h valued characters from end of plain text
            $plaintext_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $ciphertext_dec, MCRYPT_MODE_ECB, $iv_dec);

            echo  "Assert ... plaintext= ".$plaintext_dec .$b;
            // a real Assert would make it explode, but you get the idea

            #########################################################################

            echo "leaving encrypt() with ",$b64Encrypted.$b2;
            return $b64Encrypted;
        }

        echo "about to connect ...".$b;
        $link = mysql_connect('localhost', 'GuySmiley', 'mongoose');
        if (!$link) {
            die('Could not connect: ' . mysql_error());
        }
        mysql_select_db("so_gibberish", $link);

        $domaincheck = mysql_query("SELECT * FROM t1 WHERE domain = '$domain'", $link);
        if($domaincheck === FALSE) { 
            die(mysql_error());
        }

        //echo "encrypt returns: ".encrypt($email, $key).$b;
        $emailcheck = mysql_query("SELECT * FROM t2 WHERE studentemail = '".encrypt($email, $key)."'", $link);
        if($emailcheck === FALSE) { 
            die(mysql_error());
        }

        $dorow = mysql_fetch_array($domaincheck);
        $emailrow = mysql_fetch_array($emailcheck);

        // the below will explode, I don't have them, changed to echo
        if ($password == '') {
        $cause = 'Password Blank'; echo 'error.php'.$b;
        }elseif ($passconfirm =='') {
        $cause = 'Password Blank'; echo 'error.php'.$b;
        }elseif ($password != $passconfirm) {
        $cause = 'Password Mismatch'; echo 'error.php'.$b;
        }elseif ($dorow['domain'] != $domain) {
        $cause = 'Incorrect Domain'; echo 'error.php'.$b;
        }elseif ($emailrow['studentemail'] != '') {
        $cause = 'User Already Exists'; echo 'error.php'.$b;
        }
        //elseif ($dorow['licensecount'] > $dorow['licensemax']) { # commented out cuz I dont have this table
        //$cause = 'Insufficient Licences'; echo 'error.php'.$b;
        //}else {
        //}

        function hashword($string, $salt){
            $b='<br/n>';    // great name huh ?
            echo "in hashword()".$b;
            $string = crypt($string, '$1$' . $salt . '$');
            return $string;
        }

        echo "s10".$b;
        $userpass = hashword($userpass, $salt);
        echo "s11".$b;
        echo $userpass.$b;

        $hash = md5( rand(0,1000) );    // don't use md5, get a good RNG (random # generator)

        echo "s12".$b;
$sql="INSERT INTO `xxxxxxx`.`xxxxxxx`
(`hash`, `studentemail`, `studentfirstname`, `studentsurname`,
`oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`,
`psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`,
`psupplytest`, `exam`, `userpass`, `ID`, `domain`, `licensecount`,
`licensemax`, `licenceexpire`)

VALUES ('$hash', '".encrypt($email, $key)."', '".encrypt($firstna, $key)."',
'".encrypt($surna, $key)."', '0', '0', '0', '0', '0', '0', '0', '0', '0',
'0', '0', '$userpass', NULL, '', '0', '', NULL)";

        echo $sql.$b;
        //$result = mysql_query($sql, $link);

        //$licenceadd = mysql_query("UPDATE xxxxxxx.xxxxxxx SET licensecount = licensecount +1 WHERE domain = '$domain'", $link);

        //if($result === FALSE) { 
        //    die(mysql_error()); 
        //}

        //if($licenceadd === FALSE) { 
        //    die(mysql_error()); 
        //}

        //include 'email.php'; 

        echo "near bottom".$b;

        mysql_close($link); 


    } catch (Exception $e) {
        echo 'Caught exception: ',  $e->getMessage(), $b;
    } finally {
        echo $b."--------------------------------------------------------------------------".$b."First finally".$b;
    }
?>

Schema som var live när jag körde detta

create table t1
(   id int auto_increment primary key,
    domain varchar(100) not null,
    key(domain)
);
insert t1(domain) values ('gmail.com'),('yahoo.com'),('ibm.com');

-- drop table t2;
create table t2
(   id int auto_increment primary key,
    fullName varchar(80) not null,
    studentemail varchar(1000) not null
    -- key(studentemail)
);
-- truncate table t2;
insert t2(fullName,studentemail) values ('Drew Pierce','who-knows');

Skärmutgången:

The time is 06:25:20pm
s01
s02
--------------------------------------------------------------------------
about to connect ...


*** begin myLogger function ***
lvl: 8192 | msg:mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead | file:C:\Apache24\htdocs\causes_parse_error.php | ln:82
warn
*** end myLogger function ***

Key size: 32
in encrypt() passed [email protected] and ��K~:صGc��U��)���^A~/�*�
Assert ... plaintext= [email protected]
leaving encrypt() with 7n7aTyDo4E4WvtDseUcSM3JMjKipFalVRWhPwu6P5vUdYjN9btNNPo1qlOxB+TKtwfCCr/2ctTCNPxrdVz5Egg==

error.php
s10
in hashword()
s11
$1$3db1a73a$i5Pb3o2s6tV4uWDivvmLA1
s12
Key size: 32
in encrypt() passed [email protected] and ��K~:صGc��U��)���^A~/�*�
Assert ... plaintext= [email protected]
leaving encrypt() with uXCKvAUVuBcoPxIbqpbfMZRD50Bu7XSwP75MapBct9UdYjN9btNNPo1qlOxB+TKtwfCCr/2ctTCNPxrdVz5Egg==

Key size: 32
in encrypt() passed Drew and ��K~:صGc��U��)���^A~/�*�
Assert ... plaintext= Drew
leaving encrypt() with 61B1AJtpaK7hx0bFSBNXr9Z0ZFIUkrQXCZcQ5D4pvySzLFfIEEB/2r2FvCLZMobUd3jWRIiyFSfLy4/qTXsT5w==

Key size: 32
in encrypt() passed Pierce and ��K~:صGc��U��)���^A~/�*�
Assert ... plaintext= Pierce
leaving encrypt() with /JFBohEe96R7sFnQxu+ujvgFv8WZl9Pdss+zv8tVptJk2xrZH8Pb3xjfGmWGH92W/h4aeWrPS8ICEIojKtYrgw==

INSERT INTO `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `ID`, `domain`, `licensecount`, `licensemax`, `licenceexpire`) VALUES ('a96b65a721e561e1e3de768ac819ffbb', 'uXCKvAUVuBcoPxIbqpbfMZRD50Bu7XSwP75MapBct9UdYjN9btNNPo1qlOxB+TKtwfCCr/2ctTCNPxrdVz5Egg==', '61B1AJtpaK7hx0bFSBNXr9Z0ZFIUkrQXCZcQ5D4pvySzLFfIEEB/2r2FvCLZMobUd3jWRIiyFSfLy4/qTXsT5w==', '/JFBohEe96R7sFnQxu+ujvgFv8WZl9Pdss+zv8tVptJk2xrZH8Pb3xjfGmWGH92W/h4aeWrPS8ICEIojKtYrgw==', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$1$3db1a73a$i5Pb3o2s6tV4uWDivvmLA1', NULL, '', '0', '', NULL)
near bottom

--------------------------------------------------------------------------
First finally

I grund och botten är jag nöjd med hur ASSERTS kommer ut, med de inbäddade IV:erna (initieringsvektorerna).

Att skriva till databasen var inte problemet med denna fråga, eftersom du kan se en kommenterad ut det området. Det var snarare en fråga om kryptering/dekryptering.

Mottagaren av chiffertexten kan dekryptera den som IV i prepended, och de kommer att ha nyckeln. Om de inte har nyckeln, synd.

Lycka till ! Och ändra det biblioteket till ... som ... PDO !




  1. Galera Cluster Resources

  2. LINQ till Entities multiple join

  3. Node.js ansluter via ssh

  4. Hur man ställer in flervalsvärde från arrayobjekt i yii2 under uppdatering