Board index   FAQ   Search  
Register  Login
Board index php forum :: Database Other Database Engines

php oracle sql injection

Do you have questions regarding other database enginges (not MySQL) -- ask here!

Moderators: macek, egami, gesf

php oracle sql injection

Postby danarj90 » Sun Mar 11, 2012 9:34 pm

Hi..
I had written this code to prevent sql injection in the login form (i use oracle 10g)

$query = "SELECT USER_NAME, PASSWORD, GROUP_ID,user_id ,f_login_status
FROM ADSL_USERS
WHERE active <> 0
AND USER_NAME =:user AND PASSWORD = :pass ";
$stid = oci_parse($conn, $query);
oci_bind_by_name($stid, ':user', $_POST['username']);
oci_bind_by_name($stid, ':pass', md5($_POST['password']));
oci_execute($stid);
$row = oci_fetch_array($stid, OCI_RETURN_NULLS);


it deos not return any value

i hade this before but it was exposed to sql injection

$query = "SELECT USER_NAME, PASSWORD, GROUP_ID,user_id ,f_login_status
FROM ADSL_USERS
WHERE active <> 0
AND USER_NAME ='".$_POST['username']."' AND PASSWORD = '".md5($_POST['password'])."'";
danarj90
New php-forum User
New php-forum User
 
Posts: 1
Joined: Sun Mar 11, 2012 9:26 pm

Re: php oracle sql injection

Postby JordanMRichards » Thu Apr 26, 2012 11:26 am

use

mysql_real_escape_string()

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14 Year Old Programmer & Graphic Artist, Confident and Courageous
Image
User avatar
JordanMRichards
New php-forum User
New php-forum User
 
Posts: 84
Joined: Mon Apr 23, 2012 7:43 am

Re: php oracle sql injection

Postby minimihi » Thu Apr 26, 2012 12:29 pm

Just a guess. Are you sure that, in this case, you need to use only single oci_fetch_array() mode option?
Did you give a try to
Code: Select all
OCI_RETURN_NULLS + OCI_ASSOC
istead of just
Code: Select all
OCI_RETURN_NULLS
?
User avatar
minimihi
New php-forum User
New php-forum User
 
Posts: 238
Joined: Sat Apr 14, 2012 11:57 am
Location: Vilnius, Lithuania


Return to Other Database Engines

Who is online

Users browsing this forum: No registered users and 2 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.