[RESOLVED] site security puzzler

**max2474** · 05-09-2012, 08:56 PM

Hi. I am have a members site with 2 databases. This is working perfectly in normal use, however, I am now trying to make it bullet-proof by adding a few security features (ie - if they hit F5)

I am using this to see if the person has applied :

Code:

...
			$_SESSION[exists] = "0";
			mysql_select_db("applydb", $con);
			$result = mysql_query("SELECT email FROM apply
				WHERE email = '$_SESSION[email]' LIMIT 1");
			while($row = mysql_fetch_array($result))
			{
				$_SESSION[exists] = "1";
			}
			mysql_close($con);
...

If the user exists, they are added to members db, then deleted from the "applied" db. As I have said, this is working fine - am following the info in the database through each step. However, after the member has been deleted from this db, if they hit F5, or call the php file from the browser, $_SESSION[exists] still returns as 1.

If I put two echo statements for $_SESSION[exists] = "1"; , one at beginning and one at end, it returns 0, 1. - even though there is no member in the db anymore.

Help....lol. I have solved a lot of other issues myself, blocking pages if not authorised and the like, but this has me completely stumped.

nb - this only occurs after a successful membership app. All other times, it is working as it should. Have also checked that $_SESSION[email] is retaining correct email address.

**Jeff Mott** · 05-10-2012, 01:18 AM

The code you're showing doesn't include everything you described in your problem. You haven't shown where you insert a member. You haven't shown where you delete a member. We can't find problems if we can't see the code.

But in the mean time, you have bigger problems. Your code is vulnerable to SQL injection. It's one of the most common security issues, but it's also one of the easiest to prevent.

http://php.net/manual/en/security.da...-injection.php

**max2474** · 05-10-2012, 05:25 AM

The reason I have showed only this is because this is the code where the problem lies. I have a few thousand lines. I have protected against injection attacks, I was trying to find out if there are any problems with what you see.

I will post what you ask, let me just try and shrink it first.

**max2474** · 05-10-2012, 05:37 AM

Hope this will make sense to you....

verify.php:

Code:

<?php
		/*job numbers:
		1-apply to join
		2-login
		3-forgotten password - get retrieve info
		4-forgotten password - write new password*/

	require("connectdb.php");

	$formjob = filter_var(mysql_real_escape_string($_POST[formjob]), FILTER_SANITIZE_NUMBER_INT);
	$_SESSION[formjob] = $formjob;	
	
	if ($_SESSION[formjob] == "1")
	{
		$_SESSION[email] = filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);
		$_SESSION[userpass] = filter_var(mysql_real_escape_string($_POST[pwd]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[user] = filter_var(mysql_real_escape_string($_POST[user]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[squestion] = filter_var(mysql_real_escape_string($_POST[squestion]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[sanswer] = filter_var(mysql_real_escape_string($_POST[sanswer]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[plan] = filter_var(mysql_real_escape_string($_POST[plan]), FILTER_SANITIZE_NUMBER_INT);
		$_SESSION[date] = filter_var(mysql_real_escape_string($_POST[date]), FILTER_SANITIZE_NUMBER_INT);
		$_SESSION[terms] = filter_var(mysql_real_escape_string($_POST[terms]), FILTER_SANITIZE_SPECIAL_CHARS);
		if (empty ($_SESSION[user])) { $_SESSION[passes] = "1";}
		elseif (empty  ($_SESSION[email])){ $_SESSION[passes] = "2";}
		elseif (empty  ($_SESSION[userpass])){ $_SESSION[passes] = "3";}
		elseif (empty  ($_SESSION[squestion])){ $_SESSION[passes] = "4";}
		elseif (empty  ($_SESSION[sanswer])){ $_SESSION[passes] = "5";}
		elseif (empty  ($_SESSION[plan])){ $_SESSION[passes] = "6";}
		elseif (empty  ($_SESSION[terms])){ $_SESSION[passes] = "7";}
		else {$_SESSION[passes] = "0";}
		if ($_SESSION[passes] <> "0")
			{ header("location:index.php?menutabs=9"); }

		if (!filter_var(($_SESSION[email]), FILTER_VALIDATE_EMAIL))
		{ header("location:index.php?menutabs=17"); }
		elseif ($_SESSION[passes] == "0")
		{
			$_SESSION[exists] = "3";
			require("phpsnips/appexistchk.php");

			if($_SESSION[exists] = "2")
			{
				require("phpsnips/delfromapp.php");
				$_SESSION[exists] = "3";
			}

			require("phpsnips/memexistchk.php");


			if($_SESSION[exists] == "3")
			{	
				require("connectdb.php");
				mysql_select_db("applydb", $con);
				$sql = "INSERT INTO apply (email, password, squestion, sanswer, joindate, l1refer, plannum, usertitle)
				VALUES
				('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[referrer]','$_SESSION[plan]','$_SESSION[user]')";
				if (!mysql_query($sql,$con))
				{ die('Error: ' . mysql_error()); }
				mysql_close($con);
			}
			if($_SESSION[exists] == "1")
			{
				header("location:index.php?menutabs=8");
			}
			if(($_SESSION[plan] == "1")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
				{ header("location:index.php?menutabs=11"); }		
			if(($_SESSION[plan] == "2")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
				{ header("location:index.php?menutabs=12"); }
			if(($_SESSION[plan] == "3")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
				{ header("location:index.php?menutabs=13"); }
			if(($_SESSION[plan] == "4")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
				{ header("location:index.php?menutabs=19"); }
			if(($_SESSION[plan] == "5")&&($_SESSION[exists] <> "1")&&($_SESSION[passes] == "0"))
				{ header("location:index.php?menutabs=20"); }
		}
	}

	if ($_SESSION[formjob] == "2")
	{
		$_SESSION[email] = filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);
		$_SESSION[userpass] = filter_var(mysql_real_escape_string($_POST[pwd]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[date] = filter_var(mysql_real_escape_string($_POST[date]), FILTER_SANITIZE_NUMBER_INT);
		$loginsuccess = "0";
		require("connectdb.php");
		mysql_select_db("memberdb", $con);
		$result = mysql_query("SELECT * FROM members
		WHERE email = '$_SESSION[email]' AND password = '$_SESSION[userpass]' LIMIT 1");
		while($row = mysql_fetch_array($result))
		{
			$loginsuccess = "1";
			$_SESSION[user] = $row['usertitle'];
			$_SESSION[squestion] = $row['squestion'];
			$_SESSION[lastvisit] = $row['lastvisit'];
			$_SESSION[userid] = $row['userid'];
/*get more vars here!*/


		}
		mysql_close($con);
		if ($loginsuccess == "0")
		{
			$_SESSION[exists] = "3";
			require("phpsnips/appexistchk.php");
			if ($_SESSION[exists] == "2")
			{
				$_SESSION[exists] = "3";
				require("phpsnips/delfromapp.php");
				header("location: index.php?menutabs=18");
			}
			else
			{	header("location: index.php?menutabs=10");}
		}
		elseif ($loginsuccess == "1")
		{

$sessionid = session_id();
			require("connectdb.php");
			mysql_select_db("memberdb", $con);
			mysql_query("UPDATE members SET lastvisit = '$_SESSION[date]', loggedin = '1', sessionid = '$sessionid' WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);

			header("location: members.php?menutabs=0");
		}

	}

	if ($_SESSION[formjob] == "3")
	{
		$_SESSION[email] = filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);
		$_SESSION[exists] = "3";
		require("connectdb.php");
		mysql_select_db("memberdb", $con);
		$result = mysql_query("SELECT * FROM members
		WHERE email = '$_SESSION[email]' LIMIT 1");
		while($row = mysql_fetch_array($result))
		{
			$_SESSION[exists] = "2";
			$_SESSION[user] = $row['usertitle'];
			$_SESSION[squestion] = $row['squestion'];
			$_SESSION[sanswer] = $row['sanswer'];
		}
		mysql_close($con);
		if($_SESSION[exists] <> "2")
		{
			header("location:index.php?menutabs=14");
		}
		if($_SESSION[exists] == "2")
		{
			header("location:index.php?menutabs=15");
		}
	}

	if ($_SESSION[formjob] == "4")
	{
		$_SESSION[userpass2] = filter_var(mysql_real_escape_string($_POST[pwd2]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[user2] = filter_var(mysql_real_escape_string($_POST[user2]), FILTER_SANITIZE_SPECIAL_CHARS);
		$_SESSION[sanswer2] = filter_var(mysql_real_escape_string($_POST[sanswer2]), FILTER_SANITIZE_SPECIAL_CHARS);
		if (empty($_SESSION[userpass2])||($_SESSION[user2]<>$_SESSION[user])||($_SESSION[sanswer2]<>$_SESSION[sanswer]))
		{
			header("location:index.php?menutabs=14");
		}
		else
		{
			require("connectdb.php");
			mysql_select_db("memberdb", $con);
			mysql_query("UPDATE members SET password = '$_SESSION[userpass2]' WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);
			header("location:index.php?menutabs=16");
		}
	}


?>

paid.php:

Code:

<?php session_start(); ?>
<?php
echo "registered exists is ".$_SESSION[exists];
if(($_SESSION[exists] <> "1") && ($_SESSION[passes] == "0") && (!empty ($_SESSION[user])) && (!empty ($_SESSION[email])) && (!empty ($_SESSION[userpass])) && (!empty ($_SESSION[squestion])) && (!empty ($_SESSION[sanswer])) && (!empty ($_SESSION[plan])) && (!empty ($_SESSION[terms])))
	{
	$_SESSION[exists] = "3";
echo "registered exists is ".$_SESSION[exists];			
	require("phpsnips/appexistchk.php");
	if($_SESSION[exists] = "2")
		{	
echo "registered exists is ".$_SESSION[exists];
		require("connectdb.php");
		mysql_select_db("memberdb", $con);
		$sql = "INSERT INTO members (email, password, squestion, sanswer, joindate, l1refer, plannum, usertitle)
		VALUES
		('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[referrer]','$_SESSION [plan]','$_SESSION[user]')";
		if (!mysql_query($sql,$con))
		{ die('Error: ' . mysql_error()); }
		mysql_close($con);
		require("phpsnips/delfromapp.php");
		$_SESSION[exists] = "3";
echo "registered exists is ".$_SESSION[exists];
		header("location: paidok.php");
		}
}

header("location: index.php?menutabs=22");  

	?>

appexistchk.php:

Code:

<?php
			require("connectdb.php");
			mysql_select_db("applydb", $con);
			$result = mysql_query("SELECT email FROM apply
				WHERE email = '$_SESSION[email]' LIMIT 1");
			while($row = mysql_fetch_array($result))
			{
				$_SESSION[exists] = "2";
			}
			mysql_close($con);
?>

memexistchk.php:

Code:

<?php
			require("connectdb.php");
			mysql_select_db("memberdb", $con);
			$result = mysql_query("SELECT email FROM members
				WHERE email = '$_SESSION[email]' LIMIT 1");
			while($row = mysql_fetch_array($result))
			{
				$_SESSION[exists] = "1";
			}
			mysql_close($con);
?>

delfromapp.php

Code:

<?php
				require("connectdb.php");
				mysql_select_db("applydb", $con);
				mysql_query("DELETE FROM apply WHERE email = '$_SESSION[email]' LIMIT 1");
				if (!$con)
				{  die('Error: ' . mysql_error());}
				mysql_close($con);
?>

checklogin.php:

Code:

<?php
$sessionid = session_id();
$_SESSION[loggedin] = "0";
$isloggedin="0";


		require("connectdb.php");
		mysql_select_db("memberdb", $con);
		$result = mysql_query("SELECT * FROM members
			WHERE email = '$_SESSION[email]' AND password = '$_SESSION[userpass]' AND loggedin = '1' AND sessionid = '$sessionid' LIMIT 1");
		while($row = mysql_fetch_array($result))
		{
			$isloggedin = "1";
		}
		mysql_close($con);
		$_SESSION[loggedin] = $isloggedin;


		if ($_SESSION[loggedin] == "1")
		{
			session_regenerate_id();
			$sessionid = session_id();
			require("connectdb.php");
			mysql_select_db("memberdb", $con);
			mysql_query("UPDATE members SET sessionid = '$sessionid' WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);
		}
		else
		{
			require("connectdb.php");
			mysql_select_db("memberdb", $con);
			mysql_query("UPDATE members SET loggedin = '0' WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);

     			session_unset();
    			session_destroy();
    			session_write_close();
     			setcookie(session_name(),'',0,'/');
    			session_regenerate_id(true);
			header("location: index.php?menutabs=21");

		}

?>

**max2474** · 05-10-2012, 05:39 AM

logout.php:

Code:

<?php
     session_start();
			require("../connectdb.php");
			mysql_select_db("memberdb", $con);
			mysql_query("UPDATE members SET loggedin = '0' WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);
$userid=$_SESSION[userid];

     session_unset();
     session_destroy();
     session_write_close();
     setcookie(session_name(),'',0,'/');
     session_regenerate_id(true);
?>

There is loads more but think that this is all that is relevant. Hope it helps answer your questions, and hope you can answer mine

**max2474** · 05-11-2012, 10:56 AM

I am starting to believe this is a "bug" of sorts... I have merged the two databases into one. I have also put all of the contents into one page (removing the need for "require") to help source the problem.

I originally ran the following script with the third line setting "exists" to 2 rather than 4. after changing it to 4 and saving, I ran the page again by hitting F5

Code:

<?php session_start(); ?>
<?php
	$_SESSION[exists] = "4";
	if(($_SESSION[exists] <> "1") && ($_SESSION[passes] == "0") && (!empty ($_SESSION[user])) && (!empty ($_SESSION[email])) && (!empty ($_SESSION[userpass])) 

&& (!empty ($_SESSION[squestion])) && (!empty ($_SESSION[sanswer])) && (!empty ($_SESSION[terms])))
	{
		$_SESSION[exists] = "4";			
		require("pwinfo.php");
		$con = mysql_connect($servername,$username,$password);
		if (!$con)
		{ die('Could not connect: ' . mysql_error()); }
		mysql_select_db("metcoldb", $con);
		$result = mysql_query("SELECT email FROM apply
		WHERE email = '$_SESSION[email]' LIMIT 1");
		while($row = mysql_fetch_array($result))
		{
			$_SESSION[exists] = "4";
		}
		mysql_close($con);
		if($_SESSION[exists] = "2")
		{	
			require("pwinfo.php");
			$con = mysql_connect($servername,$username,$password);
			if (!$con)
			{ die('Could not connect: ' . mysql_error()); }
			mysql_select_db("metcoldb", $con);
			$sql = "INSERT INTO members (email, password, squestion, sanswer, joindate, usertitle)
			VALUES
			('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[user]')";
			if (!mysql_query($sql,$con))
			{ die('Error: ' . mysql_error()); }
			mysql_close($con);
			require("pwinfo.php");
			$con = mysql_connect($servername,$username,$password);
			if (!$con)
			{ die('Could not connect: ' . mysql_error()); }
			mysql_select_db("metcoldb", $con);
			mysql_query("DELETE FROM apply WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);
/*			$_SESSION[exists] = "3"; */
			echo "added";
		}
	}
else 
{
echo"not added"; 
}
	?>


	<p>currently registered info is as follows:</p>
	<?php echo "registered email is ".$_SESSION[email];?><br/>
	<?php echo "registered exists is ".$_SESSION[exists]; ?><br/>

output is

added

currently registered info is as follows:
registered email is fgfg@sdds
registered exists is 2

if the

Code: