Jump to content

url bypassing authentication php....

tourer

By tourer
in PHP Coding Help

 Share

Recommended Posts

tourer Member

tourer

Posted
Posted

Hello friends. i have implemented a slot booking system for performing live experiments virtually. The Virtual experiment is a swf file which is called by a html page.

 

Now for performing the experiment, the user has to enter a resid which matches the booking date & time booked by the user. Then the html file is opened. The code for the same is provided below.

 

logintest.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title></title>
  <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
<form name="form1" method="post" action="honda.php">

<table width="400" border="1" align="center" cellpadding="2" cellspacing="2">

<tr>

<td width="150">Reservation Id</td>

<td><input name="resid1" type="text" id="resid"></td>

</tr>

<tr>

<td width="150"> </td>

<td><input type="submit" name="btnLogin" value="Login"></td>

</tr>

</table>

</form>
</head>

 

 [b]honda.php[/b]
<?php

date_default_timezone_set('Asia/Kolkata');

$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'XXXX';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die   ('Error connecting to mysql');

$dbname = 'phpscheduleit';
mysql_select_db($dbname,$conn) or die ("could not open db".mysql_error());

// Make timestamp for today's date
$dv = array();
$today = getdate();
$dv['month']  = $today['mon'];
$dv['day']    = $today['mday'];
$dv['year']   = $today['year'];
$default = true;

$dv['todayTs'] = mktime(0,0,0, $dv['month'], $dv['day'], $dv['year']);
$Tdate = date('H') * 60 + date('i');


$userId = $_POST["resid1"];

   $sql = "SELECT resid, start_date, starttime, endtime
          FROM reservations
           WHERE resid = '$userId'";
             
   $result = mysql_query($sql)
            or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result); //Fetch Data and use $row to get fields data
   if ($dv['todayTs'] == $row["start_date"]){
      if($Tdate >= $row["starttime"] && $Tdate < $row["endtime"]) {
	 [color=green][u][u][b]header("Location: http://58.68.9.203/experiment/e1.html");[/b][/u][/u][/color]

      } else {
         echo "This is not your time slot";
      }
   }else {
      echo "Your slot is booked for some other day";
   }
}else{
   echo "Wrong Reservation id";
}

?>

 

The problem i am facing here is if the url to the html file to be opened is directly pasted in the address bar, then it bypasses the verification of the resid part and opens the swf file directly.

 

My whole idea of automating the system got crushed. Now is there any way or some code which i may include which will enable the html file only when the user came from the previous page or went through the resid check procedure..

Link to comment
https://forums.phpfreaks.com/topic/184251-url-bypassing-authentication-php/
Share on other sites
oni-kun Member

oni-kun

Posted
Posted

Hello friends. i have implemented a slot booking system for performing live experiments virtually. The Virtual experiment is a swf file which is called by a html page.

 

Now for performing the experiment, the user has to enter a resid which matches the booking date & time booked by the user. Then the html file is opened. The code for the same is provided below.

 

logintest.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title></title>
  <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
<form name="form1" method="post" action="honda.php">

<table width="400" border="1" align="center" cellpadding="2" cellspacing="2">

<tr>

<td width="150">Reservation Id</td>

<td><input name="resid1" type="text" id="resid"></td>

</tr>

<tr>

<td width="150"> </td>

<td><input type="submit" name="btnLogin" value="Login"></td>

</tr>

</table>

</form>
</head>

 

 [b]honda.php[/b]
<?php

date_default_timezone_set('Asia/Kolkata');

$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'XXXX';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die   ('Error connecting to mysql');

$dbname = 'phpscheduleit';
mysql_select_db($dbname,$conn) or die ("could not open db".mysql_error());

// Make timestamp for today's date
$dv = array();
$today = getdate();
$dv['month']  = $today['mon'];
$dv['day']    = $today['mday'];
$dv['year']   = $today['year'];
$default = true;

$dv['todayTs'] = mktime(0,0,0, $dv['month'], $dv['day'], $dv['year']);
$Tdate = date('H') * 60 + date('i');


$userId = $_POST["resid1"];

   $sql = "SELECT resid, start_date, starttime, endtime
          FROM reservations
           WHERE resid = '$userId'";
             
   $result = mysql_query($sql)
            or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result)) {
$row = mysql_fetch_assoc($result); //Fetch Data and use $row to get fields data
   if ($dv['todayTs'] == $row["start_date"]){
      if($Tdate >= $row["starttime"] && $Tdate < $row["endtime"]) {
	 [color=green][u][u][b]header("Location: http://58.68.9.203/experiment/e1.html");[/b][/u][/u][/color]

      } else {
         echo "This is not your time slot";
      }
   }else {
      echo "Your slot is booked for some other day";
   }
}else{
   echo "Wrong Reservation id";
}

?>

 

The problem i am facing here is if the url to the html file to be opened is directly pasted in the address bar, then it bypasses the verification of the resid part and opens the swf file directly.

 

My whole idea of automating the system got crushed. Now is there any way or some code which i may include which will enable the html file only when the user came from the previous page or went through the resid check procedure..

 

From the look of it, you do not have sessions. You should start the session on the login/resid entering page and it will carry over to the other page. If $_SESSION['logged_in'] is false for example, You can redirect them to a login page and disallow access via an IF statement or otherwise..

 

Just to note.. Someone may be able to directly access the SWF itself, by copying the source of it and entering it, bypassing PHP all together (since it's a resource), I'm not sure what your SWF actually contains but if it's important than you should add checks to that as well, or disallow access except through the page.

tourer Member

tourer

Posted
  • Author
Posted

I'm not sure what your SWF actually contains but if it's important than you should add checks to that as well, or disallow access except through the page.

 

 

This is what i am trying to initialize. But how to limit the swf. Maybe if we can just disable the webpage opening directly using url then it may solve my purpose....

oni-kun Member

oni-kun

Posted
Posted

I'm not sure what your SWF actually contains but if it's important than you should add checks to that as well, or disallow access except through the page.

 

 

This is what i am trying to initialize. But how to limit the swf. Maybe if we can just disable the webpage opening directly using url then it may solve my purpose....

 

Your method uses referrers, which can be spoofed and are not reliable, nor required to be set by the client. Sessions are what you are looking for, then you have to initiate the session (by NOT going directly to the url) and then if you are authenticated, allow access.

tourer Member

tourer

Posted
  • Author
Posted

here is my e1.html file. I am unable to even start. You can please have a look on the previous 2 files and this one which is called finally.

 

Thnx & Regards:

 

<!-- saved from url=(0014)about:internet -->
<html lang="en">

<!-- 
Smart developers always View Source. 

This application was built using Adobe Flex, an open source framework
for building rich Internet applications that get delivered via the
Flash Player or to desktops via Adobe AIR. 

Learn more about Flex at http://flex.org 
// -->

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<!--  BEGIN Browser History required section -->
<link rel="stylesheet" type="text/css" href="history/history.css" />
<!--  END Browser History required section -->

<title></title>
<script src="AC_OETags.js" language="javascript"></script>

<!--  BEGIN Browser History required section -->
<script src="history/history.js" language="javascript"></script>
<!--  END Browser History required section -->

<style>
body { margin: 0px; overflow:hidden }
</style>
<script language="JavaScript" type="text/javascript">
<!--
// -----------------------------------------------------------------------------
// Globals
// Major version of Flash required
var requiredMajorVersion = 9;
// Minor version of Flash required
var requiredMinorVersion = 0;
// Minor version of Flash required
var requiredRevision = 28;
// -----------------------------------------------------------------------------
// -->
</script>
</head>

<body scroll="no">
<script language="JavaScript" type="text/javascript">
<!--
// Version check for the Flash Player that has the ability to start Player Product Install (6.0r65)
var hasProductInstall = DetectFlashVer(6, 0, 65);

// Version check based upon the values defined in globals
var hasRequestedVersion = DetectFlashVer(requiredMajorVersion, requiredMinorVersion, requiredRevision);

if ( hasProductInstall && !hasRequestedVersion ) {
// DO NOT MODIFY THE FOLLOWING FOUR LINES
// Location visited after installation is complete if installation is required
var MMPlayerType = (isIE == true) ? "ActiveX" : "PlugIn";
var MMredirectURL = window.location;
    document.title = gaurav.slice(0, 47) + " - Flash Player Installation";
    var MMdoctitle = document.title;

AC_FL_RunContent(
	"src", "playerProductInstall",
	"FlashVars", "MMredirectURL="+MMredirectURL+'&MMplayerType='+MMPlayerType+'&MMdoctitle='+MMdoctitle+"",
	"width", "1021",
	"height", "610",
	"align", "middle",
	"id", "e1",
	"quality", "high",
	"bgcolor", "#ffffff",
	"name", "e1",
	"allowScriptAccess","sameDomain",
	"type", "application/x-shockwave-flash",
	"pluginspage", "http://www.adobe.com/go/getflashplayer"
);
} else if (hasRequestedVersion) {
// if we've detected an acceptable version
// embed the Flash Content SWF when all tests are passed
AC_FL_RunContent(
		"src", "e1",
		"width", "1021",
		"height", "610",
		"align", "middle",
		"id", "e1",
		"quality", "high",
		"bgcolor", "#ffffff",
		"name", "e1",
		"allowScriptAccess","sameDomain",
		"type", "application/x-shockwave-flash",
		"pluginspage", "http://www.adobe.com/go/getflashplayer"
);
  } else {  // flash is too old or we can't detect the plugin
    var alternateContent = 'Alternate HTML content should be placed here. '
  	+ 'This content requires the Adobe Flash Player. '
   	+ '<a href=http://www.adobe.com/go/getflash/>Get Flash</a>';
    document.write(alternateContent);  // insert non-flash content
  }
// -->
</script>
<noscript>
  	<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
		id="e1" width="1021" height="610"
		codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab">
		<param name="movie" value="C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\blazeds\e1.swf" />
		<param name="quality" value="high" />
		<param name="bgcolor" value="#ffffff" />
		<param name="allowScriptAccess" value="sameDomain" />
		<embed src="C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\blazeds\e1.swf" quality="high" bgcolor="#ffffff"
			width="1021" height="610" name="e1" align="middle"
			play="true"
			loop="false"
			quality="high"
			allowScriptAccess="sameDomain"
			type="application/x-shockwave-flash"
			pluginspage="http://www.adobe.com/go/getflashplayer">
		</embed>
</object>
</noscript>
</body>
</html>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.