CODEWITHSUNDEEP
phpsecurity
user1149244
user1149244

Reputation: 755

Website security hole

I have a website, im using sessions for the login. In every pages of my admin, I have a checker if the user has logged in or not. I have this code 

if(!$_SESSION['loggedin'] && !$_SESSION['userid'])
{
  header('Location:login.php');
}
else
{
 //proceed loading the page
}

Now what happen now, someone is messing up with our site. He/She is entering some vulgar texts on the website like ... All disrespectful words and its so frustrating because the website is accessible to the public. I believe the username and password was being hacked. So i asked all admin users to changed all passwords and i added a logger to monitor who will update the content of the website. I record the userid of the logged in user and its post. After changing passwords, the same thing happen again, content was updated by the hacker or whoever he is.

I checked my log, the user id of the hacker is 0. How is that possible and how do i stop him? Makes me wonder what did he do because it is in my condition at the very top of the page that if $_SESSION['userid'] has no value, it should redirect them to the login page.

Currently i put the website offline because the hacker is getting worst and worst. I was able to find out the ip address of it.

This is my user authentication

$user=trim($_POST['username']);
$pass=trim(stripslashes($_POST['password']));
$sql="SELECT * FROM users WHERE user='$user' AND pass='$pass'";
$qry=mysql_query($sql) or die (mysql_error());
if( mysql_num_rows($qry) )
{
  $row=mysql_fetch_assoc($qry);
  $_SESSION['userid'] =$row['userid'];
  $_SESSION['loggedin']=1;  
  header('Location: welcome.php');
}
else
{
      header('Location:login.php?error=1');
}

Upvotes: 1

Views: 191

Answers (2)

ig0774
ig0774

Reputation: 41257

As @nhahtdh observed, you have an obvious SQL injection. Consider what happens if someone where to enter admin' OR 1=1; -- into your username field (yes, people do indeed try these sorts of things). Your SQL string gets converted into something like this:

SELECT * FROM users WHERE user='admin' OR 1=1; -- AND pass='junk'

Which will select all of the users from your user table. The userid of 0 is, presumably, the first userid in your SQL table.

Please have a look this excellent answer that explains how to avoid SQL injections.

Upvotes: 3

Emil Vikström
Emil Vikström

Reputation: 91942

Make sure to always call exit after a Header('Location: ...') call. Otherwise the script will continue execution after the header call. it will continue as far as sending everything after the header call to the browser, but regular browsers will see the location header and do a redirect. Not-so-nice users may circumvent the location call and can surf your "protected" page as they wish!

So, don't forget to always end execution immediately: 

header('Location:login.php');
exit;

Upvotes: 4

Related Questions