Results 1 to 3 of 3
  1. #1
    Join Date
    Mar 2002

    Unanswered: how secure is this?

    Hi all,
    Just wondered if somebody could take a quick look at the code below to see how secure it is.

    New to 'sessions' and 'cookies' so let me know what you think!!

    setcookie(UserLevel,$data["UserLevel"],time()-1200,'/',$SERVER_NAME); //deleting cookie
    setcookie(recognised,$recognised,time()-1200,'/',$SERVER_NAME); //deleting cookie
    setcookie(UserEmail,$data["UserEmail"],time()-1200,'/',$SERVER_NAME); //deleting cookie
    header("Location: $base/pages/home.php"); // Redirect browser //
    if($logingin=="Y"){ //on restircted page and has compleated form below
    $sql = "SELECT UserLevel,userID,UserEmail,Uname,Usurname,UtotalVisit FROM users WHERE UserEmail='$userID' AND Upass=MD5('$userPassword')";
    $result = mysql_query($sql) or die(mysql_error() ."".$sql);
    $recognised = mysql_num_rows($result);
    $data = mysql_fetch_array($result);
    $UtotalVisit = $data["UtotalVisit"];
    setcookie(UserLevel,$data["UserLevel"],time()+1200,'/',$SERVER_NAME); //set for 20min
    setcookie(recognised,$recognised,time()+1200,'/',$SERVER_NAME); //set for 20min
    setcookie(UserEmail,$data["UserEmail"],time()+9999999,'/',$SERVER_NAME); //set for ages
    $R=mysql_query("UPDATE users SET UtotalVisit='$UtotalVisit' WHERE UserEmail='$userID'") or die(mysql_error());
    if($recognised==1) {
    header("Location: $base/pages/admin.php"); // Redirect browser to admin page //
    if($recognised==0) { // not allowed/recognised so disallow
    header("Location: $base/index.php"); // Redirect browser to index //
    if(in_array(1,$pageLEVEL, true)){ //general page so allow
    setcookie(recognised,'1',time()+1200,'/',$SERVER_NAME); //set for 20min
    } elseif (in_array(9,$pageLEVEL, true) AND $_COOKIE[UserLevel]!=9){ //restricted page so show login form
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
    <title><?php echo $COMMONpageTitle ?>:: Login</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <link rel="stylesheet" href="<?php echo $base?>/templates/style.css" type="text/css">
    <style type="text/css">
    body {
    	background-color: #FFFFFF;
    <table width="100%" border="0" cellspacing="0" cellpadding="0" height="100%">
          <td  class="p_sml">      <div align="center">
            To access this page please enter your sign-in details below
                <form name="form1" method="post" action="">
              <table border=0 cellspacing=0 cellpadding=0 bgcolor=#FFFFFF height=25>
                <tr valign=middle>
                  <td width=136 height=0 class="p_sml">usernname</td>
                  <td width=105 align=left height=0><font size=-4>
                    <input class=\"p_sml\" type=text name=userID size=20 maxlength="50">
                  <td width=83 height=0></td>
                  <td width=126 height=0 class="p_sml">password</td>
                  <td width=105 align=left height=0><font size=-4>
                    <input class=\"p_sml\" type=password name=userPassword size=20 maxlength="50">
                  <td width=83 height=0></td>
                  <td align=right width=112 height=0 valign=baseline>
    			  <input type="hidden" name="logingin" value="Y">
    			  <input type="hidden" name="pageLEVEL" value="<?php echo $pageLEVEL?>">
                  <input type="submit" name="Submit" value="Submit"></td>

    Should have probably added that the code is called by:

    Restricted page:
    <?php $pageNAME="admin"; $pageLEVEL=array(9); include("../inc/login/"); ?>

    Non-restricted page:
    <?php $pageNAME="home"; $pageLEVEL=array(1,9); include("../inc/login/"); ?>

    Thanks in advance
    Last edited by orange; 07-15-04 at 09:08.

  2. #2
    Join Date
    Dec 2003
    Houston, TX
    I find that looking at how other people do it to be helpful sometimes.

    require ("inc/");
    IF ((!$uid=="") AND (strlen($_SESSION['uid'])==0)){
    	$MySQL = "SELECT * FROM user WHERE username = '$uid' AND password = '$md5'";
    	$result = @mysql_query($MySQL) or die ('<br><p align="center" style="color:red;"><b>Unable to perform SQL query.</b></p><br>');
    	IF (mysql_num_rows($result)==0){echo('<br><p align="center" style="color:red;"><b>Invalid Username/Password Combination</p>');include ("");}
    		$userid = @mysql_result($result,0,"recID");
    		$type = @mysql_result($result,0,"type");
    		$_SESSION['uid'] = $userid;
    		$_SESSION['name']= @mysql_result($result,0,"name");
    		if ($type=="a") {$file="ppsadmin/UserList.php";}
    		else {$file="index2.php";}
    <META HTTP-EQUIV=Refresh CONTENT="2; URL=<?echo($file);?>">
    <?echo('<br>&nbsp;Please hold one second while we process your login...<br>&nbsp;If this page does not refresh in 3 seconds, ');?><A HREF="<?echo($file);?>"><?echo("click here");?></a>
    ELSE if (strlen($_SESSION['uid'])==0) {include ("");}
    I do not fear computers. I fear the lack of them.
    -Isaac Asimov (1920 - 1992)

  3. #3
    Join Date
    Feb 2002
    San Francisco, CA


    PHP Code:
    $sql "SELECT UserLevel,userID,UserEmail,Uname,Usurname,UtotalVi  sit FROM users WHERE UserEmail='$userID' AND Upass=MD5('$userPassword')"
    This is possibly a very bad idea...depending on where $userID comes from (I haven't read all of the code in detail - this just stood out)...see here...

    If $userID="1'; drop table users; SELECT * from users where useremail='" then you'd be in trouble...assuming your permissions for the php application were badly set. But even if they weren't - you may still get people trying to insert a new user doing this...

    This is called an SQL insertion attack - it may or may not be possible with your code - it really depends what you do to get $userID - if it is straight from a form and un-processed, then its need to process it with something like htmlenties or just simply strip all the ' and " and other characters which could be malicous in and SQL statement.

    Check your database permissions for the PHP user as well.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts