Something really weird happened. I have used a login script for years and it has worked fine. I have used this script for my own site for years and also for my clients site. There were never any problems. But yesterday my client informed me, that he can now access the secured site without entering a user name and password. I noticed that the same happened on my own site. Both sites are on the same hosting server and since I didn't change anything on the script I was assuming that something happend on the hosting server. However, the hosting provider is unable to help.

I don't understand why the script has worked fine for a long time, and now all of a sudden the login check is bypassed without any explanation. My last resort is this forum, in case anybody has experienced the same.

Here are the scripts:

index.htm

(removed rest of html as not important here)

<form action="login.php" method="post">

<table border="0" cellspacing="2" cellpadding="2">
<tr>
<td align="right" class="header">Username:</td>
<td><input type="text" name="username" size="20"></td>
</tr>
<tr>
<td align="right" class="header">Password:</td>
<td><input type="password" name="password" size="20"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="right"><input type="submit" name="Submit" value="Log in"> </td>
</tr>
</table>
</form>

Login.php

<?php
session_start();
ob_start();
include("database.php");

$query = "SELECT * FROM users WHERE user = '$username' LIMIT 1";
$result = mysql_query($query);
$qdata1 = mysql_fetch_object($result);

if ($qdata1->pass == "$password") {
$userprofile = $qdata1;
include "include/newsession.php";
header ('Location:welcome.php');
exit();

} else {
session_unset();
print "Wrong Login. Use your correct User Name and Password and try again.<br> <input type='submit' value='Retry' onClick='history.go(-1)'>";
}
mysql_close();
?>

database.php

(removed private data below)

<?php

/**
* Connect to the mysql database.
*/
$conn = mysql_connect("xxxxxx.xxxxxxmysql.com", "username", "password") or die(mysql_error());
mysql_select_db('database name', $conn) or die(mysql_error());

?>

newsession.php

<?php
$_SESSION['id'] = session_id();
$_SESSION['username'] = $username;
$_SESSION['userprofile'] = $userprofile;
$_SESSION['time'] = time();
?>

This script is very simple and should be correct as it has always worked fine. Any help is greatly appreciated.

I'll bet your host just changed the setting on register_globals. Mine did that to me a few years ago and didn't say a thing.

The issue I think is now the var $username doesn't exist after the post. If you had error reporting turned up you'd likely get an undefined variable error.

$username is probably now $_POST['username'], password would be changed in teh same way.

This means $qdata1 is returning empty and $password is empty too. So they match and presto you're in! At the very least you should be doing a num_rows check to see at least one result was returned.

You can use htaccess on Apache to reset the register_globals to on while you re write the scripts. Don't leave it on though as it's a security hole.

Just want to point this out: use mysql_real_escape_string() (http://www.php.net/mysql-real-escape-string)! If you don't use it it's the biggest security hole ever! Click on the link and scroll down to Example #2 An example SQL Injection Attack to see how easy someone can hack into your site if you don't use this function.

It's not a good idea posting the domain names of site you're showing code to. You've been black listed. There's always some idiot who will try to mess with your sit.

And You've most definitely been messed with!

I just visited your site http://www.illufoxdesign.com

Google provides a big red page with this message


Reported Attack Site!

This web site at www.illufoxdesign.com has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

Oh dear! Time for a re-write I think. :/

from the Google security report

Safe Browsing
Diagnostic page for www.illufoxdesign.com/

What is the current listing status for www.illufoxdesign.com/?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 9 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/04/2008, and the last time suspicious content was found on this site was on 06/13/2008.

Malicious software includes 8 trojan(s). Successful infection resulted in an average of 3 new processes on the target machine.

Malicious software is hosted on 1 domain(s), including 58.65.232.0.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, www.illufoxdesign.com/ did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

This is possibly a result of another account being messed with on your shared hosting. Check to see if the IP is shared or is unique to your account.

Indeed I just visited the site and I got a warning from Nod32 that the site is trying to install a Trojan. And I was using Firefox! Think what would've happened if I was using IE ^.^

Illufox I would guess what happened is the the server was compromised, the host realized they has not turned off globals and did so without informing anyone. Register globals was turned off most servers years ago and should have been off on yours for a long time. I'm not sure of the hosts legal responsibility but this could be considered negligence on their part. If you've lost money or reputation, you might have a case to sue.

Think what would've happened if I was using IE ^.^
Oh man I don't have time right now but I'd love to fire up my old junk box and see what happens without any anti virus and in IE. Who's up for trying that???? (in the name of 'science'.) :)

I'll bet your host just changed the setting on register_globals. Mine did that to me a few years ago and didn't say a thing.

The issue I think is now the var $username doesn't exist after the post. If you had error reporting turned up you'd likely get an undefined variable error.

$username is probably now $_POST['username'], password would be changed in teh same way.

This means $qdata1 is returning empty and $password is empty too. So they match and presto you're in! At the very least you should be doing a num_rows check to see at least one result was returned.

You can use htaccess on Apache to reset the register_globals to on while you re write the scripts. Don't leave it on though as it's a security hole.


Thanks, this is a very helpful answer, and it seems to make complete sense that this is what actually made my code break. In the meantime I found another login script and now the login page works as expected again. Thanks a bunch!