Project

General

Profile

« Previous | Next » 

Revision 420

Added by Matthias almost 18 years ago

Fixed "REMEMBER_KEY" Cookie SQL Injection security issue (#376)

View differences:

trunk/wb/framework/class.login.php
103 103
			// User has been "remembered"
104 104
			// Get the users password
105 105
			$database = new database();
106
			$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr($_COOKIE['REMEMBER_KEY'], 0, 11)."' LIMIT 1");
106
			$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".$this->get_safe_remember_key()."' LIMIT 1");
107 107
			$fetch_details = $query_details->fetchRow();
108 108
			$this->username = $fetch_details['username'];
109 109
			$this->password = $fetch_details['password'];
......
287 287
		if(isset($_COOKIE['REMEMBER_KEY']) AND $_COOKIE['REMEMBER_KEY'] != '') {
288 288
			// Check if the remember key is correct
289 289
			$database = new database();
290
			$check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1");
290
			$check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$this->get_safe_remember_key()."' LIMIT 1");
291 291
			if($check_query->numRows() > 0) {
292 292
				$check_fetch = $check_query->fetchRow();
293 293
				$user_id = $check_fetch['user_id'];
......
370 370
			$template->pparse('output', 'page');
371 371
		}
372 372
	}
373

  
374
	// convert "REMEMBER_KEY" to a number and then repad
375
	// any non numeric character will cause intval to return null thus returning 11 0's
376
	function get_safe_remember_key() {
377
		return str_pad(intval(substr($_COOKIE['REMEMBER_KEY'],0,11)),11,"0",STR_PAD_LEFT); // SQL Injection prevention
378
	}
373 379
	
374 380
	// Warn user that they have had to many login attemps
375 381
	function warn() {

Also available in: Unified diff