/trunk/wb/framework/class.login.php - Diff - WB 2.08.x - Tracking

« Previous | Next »

Revision 420

Added by Matthias over 18 years ago

Fixed "REMEMBER_KEY" Cookie SQL Injection security issue (#376)

     			// User has been "remembered"
     			// Get the users password
     			$database = new database();
     			$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr($_COOKIE['REMEMBER_KEY'], 0, 11)."' LIMIT 1");
     			$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".$this->get_safe_remember_key()."' LIMIT 1");
     			$fetch_details = $query_details->fetchRow();
     			$this->username = $fetch_details['username'];
     			$this->password = $fetch_details['password'];
-...
     		if(isset($_COOKIE['REMEMBER_KEY']) AND $_COOKIE['REMEMBER_KEY'] != '') {
     			// Check if the remember key is correct
     			$database = new database();
     			$check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1");
     			$check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$this->get_safe_remember_key()."' LIMIT 1");
     			if($check_query->numRows() > 0) {
     				$check_fetch = $check_query->fetchRow();
     				$user_id = $check_fetch['user_id'];
-...
     			$template->pparse('output', 'page');
+    		}
+    	}
     	// convert "REMEMBER_KEY" to a number and then repad
     	// any non numeric character will cause intval to return null thus returning 11 0's
     	function get_safe_remember_key() {
     		return str_pad(intval(substr($_COOKIE['REMEMBER_KEY'],0,11)),11,"0",STR_PAD_LEFT); // SQL Injection prevention
+    	}
     	// Warn user that they have had to many login attemps
     	function warn() {

Also available in: Unified diff

Project

General

Profile

WB 2.08.x

Revision 420

Added by Matthias over 18 years ago