www.webdeveloper.com
Results 1 to 7 of 7

Thread: [RESOLVED] site security puzzler

  1. #1
    Join Date
    Feb 2010
    Location
    Grantham, UK
    Posts
    103

    resolved [RESOLVED] site security puzzler

    Hi. I am have a members site with 2 databases. This is working perfectly in normal use, however, I am now trying to make it bullet-proof by adding a few security features (ie - if they hit F5)

    I am using this to see if the person has applied :

    Code:
    ...
    			$_SESSION[exists] = "0";
    			mysql_select_db("applydb", $con);
    			$result = mysql_query("SELECT email FROM apply
    				WHERE email = '$_SESSION[email]' LIMIT 1");
    			while($row = mysql_fetch_array($result))
    			{
    				$_SESSION[exists] = "1";
    			}
    			mysql_close($con);
    ...
    If the user exists, they are added to members db, then deleted from the "applied" db. As I have said, this is working fine - am following the info in the database through each step. However, after the member has been deleted from this db, if they hit F5, or call the php file from the browser, $_SESSION[exists] still returns as 1.

    If I put two echo statements for $_SESSION[exists] = "1"; , one at beginning and one at end, it returns 0, 1. - even though there is no member in the db anymore.

    Help....lol. I have solved a lot of other issues myself, blocking pages if not authorised and the like, but this has me completely stumped.

    nb - this only occurs after a successful membership app. All other times, it is working as it should. Have also checked that $_SESSION[email] is retaining correct email address.
    Last edited by max2474; 05-09-2012 at 09:58 PM. Reason: clarity

  2. #2
    Join Date
    Jul 2003
    Location
    The City of Roses
    Posts
    2,503
    The code you're showing doesn't include everything you described in your problem. You haven't shown where you insert a member. You haven't shown where you delete a member. We can't find problems if we can't see the code.

    But in the mean time, you have bigger problems. Your code is vulnerable to SQL injection. It's one of the most common security issues, but it's also one of the easiest to prevent.

    http://php.net/manual/en/security.da...-injection.php
    for(split(//,'))*))91:+9.*4:1A1+9,1))2*:..)))2*:31.-1)4131)1))2*:3)"'))
    {for(ord){$i+=$_&7;grep(vec($s,$i++,1)=1,1..($_>>3)-4);}}print"$s\n";

  3. #3
    Join Date
    Feb 2010
    Location
    Grantham, UK
    Posts
    103
    The reason I have showed only this is because this is the code where the problem lies. I have a few thousand lines. I have protected against injection attacks, I was trying to find out if there are any problems with what you see.

    I will post what you ask, let me just try and shrink it first.

  4. #4
    Join Date
    Feb 2010
    Location
    Grantham, UK
    Posts
    103
    Hope this will make sense to you....

    verify.php:
    Code:
    <?php
    		/*job numbers:
    		1-apply to join
    		2-login
    		3-forgotten password - get retrieve info
    		4-forgotten password - write new password*/
    
    	require("connectdb.php");
    
    	$formjob = filter_var(mysql_real_escape_string($_POST[formjob]), FILTER_SANITIZE_NUMBER_INT);
    	$_SESSION[formjob] = $formjob;	
    	
    	if ($_SESSION[formjob] == "1")
    	{
    		$_SESSION[email] = filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);
    		$_SESSION[userpass] = filter_var(mysql_real_escape_string($_POST[pwd]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[user] = filter_var(mysql_real_escape_string($_POST[user]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[squestion] = filter_var(mysql_real_escape_string($_POST[squestion]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[sanswer] = filter_var(mysql_real_escape_string($_POST[sanswer]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[plan] = filter_var(mysql_real_escape_string($_POST[plan]), FILTER_SANITIZE_NUMBER_INT);
    		$_SESSION[date] = filter_var(mysql_real_escape_string($_POST[date]), FILTER_SANITIZE_NUMBER_INT);
    		$_SESSION[terms] = filter_var(mysql_real_escape_string($_POST[terms]), FILTER_SANITIZE_SPECIAL_CHARS);
    		if (empty ($_SESSION[user])) { $_SESSION[passes] = "1";}
    		elseif (empty  ($_SESSION[email])){ $_SESSION[passes] = "2";}
    		elseif (empty  ($_SESSION[userpass])){ $_SESSION[passes] = "3";}
    		elseif (empty  ($_SESSION[squestion])){ $_SESSION[passes] = "4";}
    		elseif (empty  ($_SESSION[sanswer])){ $_SESSION[passes] = "5";}
    		elseif (empty  ($_SESSION[plan])){ $_SESSION[passes] = "6";}
    		elseif (empty  ($_SESSION[terms])){ $_SESSION[passes] = "7";}
    		else {$_SESSION[passes] = "0";}
    		if ($_SESSION[passes] <> "0")
    			{ header("location:index.php?menutabs=9"); }
    
    		if (!filter_var(($_SESSION[email]), FILTER_VALIDATE_EMAIL))
    		{ header("location:index.php?menutabs=17"); }
    		elseif ($_SESSION[passes] == "0")
    		{
    			$_SESSION[exists] = "3";
    			require("phpsnips/appexistchk.php");
    
    			if($_SESSION[exists] = "2")
    			{
    				require("phpsnips/delfromapp.php");
    				$_SESSION[exists] = "3";
    			}
    
    			require("phpsnips/memexistchk.php");
    
    
    			if($_SESSION[exists] == "3")
    			{	
    				require("connectdb.php");
    				mysql_select_db("applydb", $con);
    				$sql = "INSERT INTO apply (email, password, squestion, sanswer, joindate, l1refer, plannum, usertitle)
    				VALUES
    				('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[referrer]','$_SESSION[plan]','$_SESSION[user]')";
    				if (!mysql_query($sql,$con))
    				{ die('Error: ' . mysql_error()); }
    				mysql_close($con);
    			}
    			if($_SESSION[exists] == "1")
    			{
    				header("location:index.php?menutabs=8");
    			}
    			if(($_SESSION[plan] == "1")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
    				{ header("location:index.php?menutabs=11"); }		
    			if(($_SESSION[plan] == "2")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
    				{ header("location:index.php?menutabs=12"); }
    			if(($_SESSION[plan] == "3")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
    				{ header("location:index.php?menutabs=13"); }
    			if(($_SESSION[plan] == "4")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
    				{ header("location:index.php?menutabs=19"); }
    			if(($_SESSION[plan] == "5")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
    				{ header("location:index.php?menutabs=20"); }
    		}
    	}
    
    	if ($_SESSION[formjob] == "2")
    	{
    		$_SESSION[email] = filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);
    		$_SESSION[userpass] = filter_var(mysql_real_escape_string($_POST[pwd]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[date] = filter_var(mysql_real_escape_string($_POST[date]), FILTER_SANITIZE_NUMBER_INT);
    		$loginsuccess = "0";
    		require("connectdb.php");
    		mysql_select_db("memberdb", $con);
    		$result = mysql_query("SELECT * FROM members
    		WHERE email = '$_SESSION[email]' AND password = '$_SESSION[userpass]' LIMIT 1");
    		while($row = mysql_fetch_array($result))
    		{
    			$loginsuccess = "1";
    			$_SESSION[user] = $row['usertitle'];
    			$_SESSION[squestion] = $row['squestion'];
    			$_SESSION[lastvisit] = $row['lastvisit'];
    			$_SESSION[userid] = $row['userid'];
    /*get more vars here!*/
    
    
    		}
    		mysql_close($con);
    		if ($loginsuccess == "0")
    		{
    			$_SESSION[exists] = "3";
    			require("phpsnips/appexistchk.php");
    			if ($_SESSION[exists] == "2")
    			{
    				$_SESSION[exists] = "3";
    				require("phpsnips/delfromapp.php");
    				header("location: index.php?menutabs=18");
    			}
    			else
    			{	header("location: index.php?menutabs=10");}
    		}
    		elseif ($loginsuccess == "1")
    		{
    
    $sessionid = session_id();
    			require("connectdb.php");
    			mysql_select_db("memberdb", $con);
    			mysql_query("UPDATE members SET lastvisit = '$_SESSION[date]', loggedin = '1', sessionid = '$sessionid' WHERE email = '$_SESSION[email]' LIMIT 1");
    			mysql_close($con);
    
    			header("location: members.php?menutabs=0");
    		}
    
    	}
    
    	if ($_SESSION[formjob] == "3")
    	{
    		$_SESSION[email] = filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);
    		$_SESSION[exists] = "3";
    		require("connectdb.php");
    		mysql_select_db("memberdb", $con);
    		$result = mysql_query("SELECT * FROM members
    		WHERE email = '$_SESSION[email]' LIMIT 1");
    		while($row = mysql_fetch_array($result))
    		{
    			$_SESSION[exists] = "2";
    			$_SESSION[user] = $row['usertitle'];
    			$_SESSION[squestion] = $row['squestion'];
    			$_SESSION[sanswer] = $row['sanswer'];
    		}
    		mysql_close($con);
    		if($_SESSION[exists] <> "2")
    		{
    			header("location:index.php?menutabs=14");
    		}
    		if($_SESSION[exists] == "2")
    		{
    			header("location:index.php?menutabs=15");
    		}
    	}
    
    	if ($_SESSION[formjob] == "4")
    	{
    		$_SESSION[userpass2] = filter_var(mysql_real_escape_string($_POST[pwd2]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[user2] = filter_var(mysql_real_escape_string($_POST[user2]), FILTER_SANITIZE_SPECIAL_CHARS);
    		$_SESSION[sanswer2] = filter_var(mysql_real_escape_string($_POST[sanswer2]), FILTER_SANITIZE_SPECIAL_CHARS);
    		if (empty($_SESSION[userpass2])||($_SESSION[user2]<>$_SESSION[user])||($_SESSION[sanswer2]<>$_SESSION[sanswer]))
    		{
    			header("location:index.php?menutabs=14");
    		}
    		else
    		{
    			require("connectdb.php");
    			mysql_select_db("memberdb", $con);
    			mysql_query("UPDATE members SET password = '$_SESSION[userpass2]' WHERE email = '$_SESSION[email]' LIMIT 1");
    			mysql_close($con);
    			header("location:index.php?menutabs=16");
    		}
    	}
    
    
    ?>
    paid.php:
    Code:
    <?php session_start(); ?>
    <?php
    echo "registered exists is ".$_SESSION[exists];
    if(($_SESSION[exists] <> "1") && ($_SESSION[passes] == "0") && (!empty ($_SESSION[user])) && (!empty ($_SESSION[email])) && (!empty ($_SESSION[userpass])) && (!empty ($_SESSION[squestion])) && (!empty ($_SESSION[sanswer])) && (!empty ($_SESSION[plan])) && (!empty ($_SESSION[terms])))
    	{
    	$_SESSION[exists] = "3";
    echo "registered exists is ".$_SESSION[exists];			
    	require("phpsnips/appexistchk.php");
    	if($_SESSION[exists] = "2")
    		{	
    echo "registered exists is ".$_SESSION[exists];
    		require("connectdb.php");
    		mysql_select_db("memberdb", $con);
    		$sql = "INSERT INTO members (email, password, squestion, sanswer, joindate, l1refer, plannum, usertitle)
    		VALUES
    		('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[referrer]','$_SESSION [plan]','$_SESSION[user]')";
    		if (!mysql_query($sql,$con))
    		{ die('Error: ' . mysql_error()); }
    		mysql_close($con);
    		require("phpsnips/delfromapp.php");
    		$_SESSION[exists] = "3";
    echo "registered exists is ".$_SESSION[exists];
    		header("location: paidok.php");
    		}
    }
    
    header("location: index.php?menutabs=22");  
    
    	?>
    appexistchk.php:
    Code:
    <?php
    			require("connectdb.php");
    			mysql_select_db("applydb", $con);
    			$result = mysql_query("SELECT email FROM apply
    				WHERE email = '$_SESSION[email]' LIMIT 1");
    			while($row = mysql_fetch_array($result))
    			{
    				$_SESSION[exists] = "2";
    			}
    			mysql_close($con);
    ?>
    memexistchk.php:
    Code:
    <?php
    			require("connectdb.php");
    			mysql_select_db("memberdb", $con);
    			$result = mysql_query("SELECT email FROM members
    				WHERE email = '$_SESSION[email]' LIMIT 1");
    			while($row = mysql_fetch_array($result))
    			{
    				$_SESSION[exists] = "1";
    			}
    			mysql_close($con);
    ?>
    delfromapp.php
    Code:
    <?php
    				require("connectdb.php");
    				mysql_select_db("applydb", $con);
    				mysql_query("DELETE FROM apply WHERE email = '$_SESSION[email]' LIMIT 1");
    				if (!$con)
    				{  die('Error: ' . mysql_error());}
    				mysql_close($con);
    ?>
    checklogin.php:
    Code:
    <?php
    $sessionid = session_id();
    $_SESSION[loggedin] = "0";
    $isloggedin="0";
    
    
    		require("connectdb.php");
    		mysql_select_db("memberdb", $con);
    		$result = mysql_query("SELECT * FROM members
    			WHERE email = '$_SESSION[email]' AND password = '$_SESSION[userpass]' AND loggedin = '1' AND sessionid = '$sessionid' LIMIT 1");
    		while($row = mysql_fetch_array($result))
    		{
    			$isloggedin = "1";
    		}
    		mysql_close($con);
    		$_SESSION[loggedin] = $isloggedin;
    
    
    		if ($_SESSION[loggedin] == "1")
    		{
    			session_regenerate_id();
    			$sessionid = session_id();
    			require("connectdb.php");
    			mysql_select_db("memberdb", $con);
    			mysql_query("UPDATE members SET sessionid = '$sessionid' WHERE email = '$_SESSION[email]' LIMIT 1");
    			mysql_close($con);
    		}
    		else
    		{
    			require("connectdb.php");
    			mysql_select_db("memberdb", $con);
    			mysql_query("UPDATE members SET loggedin = '0' WHERE email = '$_SESSION[email]' LIMIT 1");
    			mysql_close($con);
    
         			session_unset();
        			session_destroy();
        			session_write_close();
         			setcookie(session_name(),'',0,'/');
        			session_regenerate_id(true);
    			header("location: index.php?menutabs=21");
    
    		}
    
    ?>

  5. #5
    Join Date
    Feb 2010
    Location
    Grantham, UK
    Posts
    103
    logout.php:
    Code:
    <?php
         session_start();
    			require("../connectdb.php");
    			mysql_select_db("memberdb", $con);
    			mysql_query("UPDATE members SET loggedin = '0' WHERE email = '$_SESSION[email]' LIMIT 1");
    			mysql_close($con);
    $userid=$_SESSION[userid];
    
         session_unset();
         session_destroy();
         session_write_close();
         setcookie(session_name(),'',0,'/');
         session_regenerate_id(true);
    ?>
    There is loads more but think that this is all that is relevant. Hope it helps answer your questions, and hope you can answer mine

  6. #6
    Join Date
    Feb 2010
    Location
    Grantham, UK
    Posts
    103
    I am starting to believe this is a "bug" of sorts... I have merged the two databases into one. I have also put all of the contents into one page (removing the need for "require") to help source the problem.

    I originally ran the following script with the third line setting "exists" to 2 rather than 4. after changing it to 4 and saving, I ran the page again by hitting F5

    Code:
    <?php session_start(); ?>
    <?php
    	$_SESSION[exists] = "4";
    	if(($_SESSION[exists] <> "1") && ($_SESSION[passes] == "0") && (!empty ($_SESSION[user])) && (!empty ($_SESSION[email])) && (!empty ($_SESSION[userpass])) 
    
    && (!empty ($_SESSION[squestion])) && (!empty ($_SESSION[sanswer])) && (!empty ($_SESSION[terms])))
    	{
    		$_SESSION[exists] = "4";			
    		require("pwinfo.php");
    		$con = mysql_connect($servername,$username,$password);
    		if (!$con)
    		{ die('Could not connect: ' . mysql_error()); }
    		mysql_select_db("metcoldb", $con);
    		$result = mysql_query("SELECT email FROM apply
    		WHERE email = '$_SESSION[email]' LIMIT 1");
    		while($row = mysql_fetch_array($result))
    		{
    			$_SESSION[exists] = "4";
    		}
    		mysql_close($con);
    		if($_SESSION[exists] = "2")
    		{	
    			require("pwinfo.php");
    			$con = mysql_connect($servername,$username,$password);
    			if (!$con)
    			{ die('Could not connect: ' . mysql_error()); }
    			mysql_select_db("metcoldb", $con);
    			$sql = "INSERT INTO members (email, password, squestion, sanswer, joindate, usertitle)
    			VALUES
    			('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[user]')";
    			if (!mysql_query($sql,$con))
    			{ die('Error: ' . mysql_error()); }
    			mysql_close($con);
    			require("pwinfo.php");
    			$con = mysql_connect($servername,$username,$password);
    			if (!$con)
    			{ die('Could not connect: ' . mysql_error()); }
    			mysql_select_db("metcoldb", $con);
    			mysql_query("DELETE FROM apply WHERE email = '$_SESSION[email]' LIMIT 1");
    			mysql_close($con);
    /*			$_SESSION[exists] = "3"; */
    			echo "added";
    		}
    	}
    else 
    {
    echo"not added"; 
    }
    	?>
    
    
    	<p>currently registered info is as follows:</p>
    	<?php echo "registered email is ".$_SESSION[email];?><br/>
    	<?php echo "registered exists is ".$_SESSION[exists]; ?><br/>
    output is
    added

    currently registered info is as follows:
    registered email is fgfg@sdds
    registered exists is 2
    if the
    Code:
    /*	$_SESSION[exists] = "3"; */
    at the bottom runs, output is three. stop it, and back to 2.

    why is session[exist] coming up as 2???

  7. #7
    Join Date
    Feb 2010
    Location
    Grantham, UK
    Posts
    103
    Am going to mark this thread as closed as it is a php question.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles