php oracle sql injection

Do you have questions regarding other database enginges (not MySQL) -- ask here!

Moderators: macek, egami, gesf

danarj90
New php-forum User
New php-forum User
Posts: 1
Joined: Sun Mar 11, 2012 9:26 pm

php oracle sql injection

Postby danarj90 » Sun Mar 11, 2012 9:34 pm

Hi..
I had written this code to prevent sql injection in the login form (i use oracle 10g)

$query = "SELECT USER_NAME, PASSWORD, GROUP_ID,user_id ,f_login_status
FROM ADSL_USERS
WHERE active <> 0
AND USER_NAME =:user AND PASSWORD = :pass ";
$stid = oci_parse($conn, $query);
oci_bind_by_name($stid, ':user', $_POST['username']);
oci_bind_by_name($stid, ':pass', md5($_POST['password']));
oci_execute($stid);
$row = oci_fetch_array($stid, OCI_RETURN_NULLS);


it deos not return any value

i hade this before but it was exposed to sql injection

$query = "SELECT USER_NAME, PASSWORD, GROUP_ID,user_id ,f_login_status
FROM ADSL_USERS
WHERE active <> 0
AND USER_NAME ='".$_POST['username']."' AND PASSWORD = '".md5($_POST['password'])."'";

User avatar
JordanMRichards
New php-forum User
New php-forum User
Posts: 84
Joined: Mon Apr 23, 2012 7:43 am
Contact:

Re: php oracle sql injection

Postby JordanMRichards » Thu Apr 26, 2012 11:26 am

use

mysql_real_escape_string()

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14 Year Old Programmer & Graphic Artist, Confident and Courageous
Image

User avatar
minimihi
New php-forum User
New php-forum User
Posts: 238
Joined: Sat Apr 14, 2012 11:57 am
Location: Vilnius, Lithuania

Re: php oracle sql injection

Postby minimihi » Thu Apr 26, 2012 12:29 pm

Just a guess. Are you sure that, in this case, you need to use only single oci_fetch_array() mode option?
Did you give a try to

Code: Select all

OCI_RETURN_NULLS + OCI_ASSOC
istead of just

Code: Select all

OCI_RETURN_NULLS
?


Return to “Other Database Engines”

Who is online

Users browsing this forum: No registered users and 1 guest