Yet another blog about PHP, HTML and CSS » Programming Techniques

MySQL comparison catch: ‘abc’ = 00

Petr 'PePa' Pavel — Mon, 25 May 2009 20:39:00 +0000

I was shocked to find a weakness in my authentication library today. It was possible to get around the password check if you knew the username. All you had to do was to enter 00 as the password. Or you just entered 00 as the username too and you got authenticated as the first user.

The bug was a combination of these three things:

A password (or/and username) that doesn’t contain any numbers
MySQL type conversion in conditions – when comparing a VARCHAR column to an INTEGER value it converts VARCHAR to INTEGER, not the other way around.
My own database wrapper was trying to be smart and didn’t wrap numeric values with apostrophes

Consider this template:

SELECT 1 FROM my_users WHERE (username = %s) AND (password = %s)

and something along these PHP lines:

if ($_REQUEST[‘username’] && $_REQUEST[‘password’]) {
// will catch 0 but not 00
if (mysqlValue($sqlTemplate, $_REQUEST[‘username’], $_REQUEST[‘password’]) {
echo ‘welcome’;
} else {
echo ‘wrong password’;
}
}

I won’t go into details about mysqlValue(). The important part is that it checks for special cases of NULL, true, false and is_numeric() and runs the rest through mysql_real_escape_string(). Then it inserts all parameters into the template using vprintf().

The problem is with is_numeric(). After being evaluated as a numeric value, ’00′ is entered into the query without apostrophes.

SELECT 1 FROM my_users WHERE (username = ‘my_username’) AND (password = 00)

And because any varchar that doesn’t contain a number compared to an integer is evaluated as true the result is a catastrophe.

'abc' = 00 is evaluated as true. 'abc1' = 00 would be false however, unfortunately only few users append a number to their password. If you use 00 for both the username and the password you get authenticated as the first user who didn’t do so.

Check out this false bug report or the related documentation page.

Why you could want to pass numeric values without apostrophes

I wonder myself :-) Here are some reasons I remembered:

I need to pass NULL in some cases and for that I can’t use %d
Using apostrophes for integer comparison (1 = ’1′) means unnecessary type conversion that takes time. A small amount of time but still.
An argument for abandoning the is_numeric() code: Using %d and %s in SQL templates provides a visual clue about what values can be expected there. But then I couldn’t insert NULL values.

So how to fix this mess?

What do you think? Should I remove the is_numeric() test and replace all %d with %s in all SQL templates? Remember that printf("%d", "'123'") will return 0.
Or should I keep the is_numeric() test and rewrite vulnerable queries to use for example CAST:

SELECT 1 FROM my_users WHERE (username = CAST(%s AS CHAR)) AND (password = CAST(%s AS CHAR))

Update 2010-01-18: I added the real reason for wanting to preserve %s in the template.

Update 2010-01-20:
Unfortunately, what I thought to be a solution (CAST(%s AS CHAR)) has another flaw – strips leading zeroes from the username / password which results into authentication failure.
So dear reader, any ideas?

Dealing with different configuration for development and production box

Petr 'PePa' Pavel — Fri, 12 Dec 2008 00:16:42 +0000

All right, this isn’t exactly a rocket science, it’s just something I use and find very handy.

We all develop (and test) on one computer and deploy to a different computer to make the changes live. Having to run the application in two different environments brings a challenge of using different configuration based on where the application runs.

Multiple configuration files

I started by having two configuration files, one for my dev box and another for the production server. They were named the same and I had one on my dev box and one on the server. Each deployment though, meant that I had to be careful not to overwrite the server file with my local copy. That ruled out using a simple synchronization script like lftp or WinScp.

The simplest solution is to name the configuration files differently and upload them both to both servers. All right, even simpler is to have a single configuration php file and define different values using if/else but that can quickly get out of hands as the number of variables grows.

If you need to upload to more production servers (more than one customer) you need to use some more sophisticated deployment script (Ant?).

Let’s return to the simple solution for now. You need to find a piece of information that can be used as a computer identifier and use it to choose the right set of configuration data.

$_SERVER['SERVER_NAME'] & $_SERVER['SERVER_ADDR']

You can use these two for most situations. I develop on my workstation and I have set up domain name based web hosts (C:\xampp\apache\conf\extra\httpd-vhosts.conf) using fake domains (C:\WINDOWS\system32\drivers\etc\hosts).

Using $_SERVER['SERVER_NAME'] works when you know it up front but sometimes your client is going to choose it just before launching the site. Or he decides to change it later on. Not a big deal but I don’t like chaos.

$_SERVER['SERVER_ADDR'] is also fine but don’t forget to change it when your production server’s ip address changes. Not an issue if you use just two computers with 127.0.0.1 and “else”.

Running scripts locally

Sometimes you need to run a script locally as an extra level of security. Say you run a cron job and you don’t want public to mess with it by running it off schedule. So you run it as http://localhost/tadada.php and check for SERVER_NAME/ADDR to make sure it was indeed run that way. But then your cannot use it for picking the right configuration set.

getenv(“COMPUTERNAME”) to the rescue

This value is unlikely to change during the lifetime of your application and doesn’t change based on the way you run it. The drawback is that not all servers define this variable so you may have to seek a different computer identificator.

What is your way of dealing with configuration sets?

Calculating time difference in months as a decimal number

Petr 'PePa' Pavel — Wed, 08 Oct 2008 20:54:21 +0000

There’s a number of functions out there for calculating the length of time in months but they only provide integer results. MySQL can do it too, for instance. But what if you need to get a precise number?

2008-11-15 minus 2008-10-01 can’t be one if you’re calculating rent. It must be 1.466…

function monthCount($start, $end) {
list($startYear, $startMonth, $startDay) = split(‘-’, $start);
list($endYear, $endMonth, $endDay) = split(‘-’, $end);
$startMonthCount =
($startYear * 12) +
// number of months since the beginning of our calendar
$startMonth +
// month number
( ($startDay – 1) / date("t", strtotime($start)));
// day number divided by the number of days in that month
$endMonthCount = ($endYear * 12) + $endMonth +
( ($endDay – 1) / date("t", strtotime($end)));
return $endMonthCount – $startMonthCount;
}

Note: end date is not inclusive.

How to concatenate two object attributes and assign the result to a variable

Petr 'PePa' Pavel — Tue, 04 Mar 2008 18:21:25 +0000

All right, this is really no rocket science it’s just something I needed and took me some time to figure out.

{assign var="fullName" value="`$human->first` `$human->last`"}

or more robust version:

{capture assign="fullName"}
{$human->first} {$human->last}
{/capture}

Date formatting in Smarty

Petr 'PePa' Pavel — Wed, 26 Sep 2007 21:23:44 +0000

If you use the so called, German date format (day of month. month. year) you may have wondered how to achieve it with Smarty – without the leading zeroes for month.

You all know the common way to format date in Smarty:

{$myDate|date_format:"%e. %m. %Y"}

If you ever wanted to have month number without the leading zeroes, here’s how:

{$myDate|date_format:"%e. %#m. %Y"}

or even a cooler way:

{assign var="myDateTimestamp" value=$myDate|strtotime}
{"j. n. Y"|date:$myDateTimestamp}

(because you can use almost any PHP function as Smarty variable modifier, just solve the parameters-order problem)

Question

Got any better solution? Tell me about it!

How to report messages to user

Petr 'PePa' Pavel — Wed, 26 Sep 2007 10:21:45 +0000

In the course of executing a program you need to report errors / success messages to the user. But you don’t want to mix your code with HTML, right? (A quick explanation on separating presentation from business / data logic.)

So here’s what I use:

class MessageStack {
var $_stack = array();
…
/**
* Factory function, ensures that
* MessageStack is a singleton
*/
function create() {
…
}
function add($type, $text) {
$this->_stack[$type][] = $text;
}
/**
* Returns stack contents
*/
function get() {
return $this->_stack;
}
}

When I want to report something I call:

$messageStack = MessageStack::create();
$messageStack->add(‘ok’, ‘Record saved.’);

Then in your main file you run this:

$messageStack = MessageStack::create();
$smarty->assign("messages", $messageStack->get());

Include this into template (preferably the part that is included into every template):

{foreach from=$messages key=type item=messagesType}
{section name=pc loop=$messagesType}
{$type}">{$messagesType[pc]}
{/section}
{/foreach}

And then in css, define all message types:

.message {
font-weight: bold;
padding: 5px;
}
.critical {
background-color: black;
padding: 2px 5px 3px 5px;
margin: 3px 0px;
}

Question

Do you use something like this or something more clever? Share your wisdom :-)