adamjones Posted May 12, 2010 Share Posted May 12, 2010 Hi. I have a basic script which removes a user from my database, but only those logged into the CMS can run the script. This is done via sessions. Here is my code; <?php session_start(); if(!session_is_registered(hh374747838807479736408649630860846496782)) { header("location:./"); } if(!session_is_registered(username)) { header("location:./"); } require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $qry="SELECT * FROM fuse_rights WHERE username='".$_SESSION['username']."'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result) == 1) { $checks = mysql_fetch_assoc($result); $hk = $checks['housekeeping']; $comp = $checks['competitions']; $news = $checks['news']; $events = $checks['events']; $twitter = $checks['twitter']; $forum = $checks['forum_admin']; $pages = $checks['pages']; $users = $checks['users']; $settings = $checks['settings']; $bans = $checks['bans']; } } if(isset($_SESSION['username']) && $hk == 0) { $errflag = true; $errmsg_arr[] = 'You do not have access to the Intra.'; if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: ./error"); } } if(isset($_SESSION['username']) && $users == 0) { header("location: ./dash"); } $username=$_GET['username']; $sql="DELETE FROM users WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM badges WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM profiles WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM fuse_rights WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM coins WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM characters WHERE owner='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM bans WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM alerts WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM achs WHERE username='$username'"; $result=mysql_query($sql); if($result){ $errflag = true; $errmsg_arr[] = '<div id="message-success" class="message message-success"> <div class="image"> <img src="resources/images/icons/success.png" alt="Success" height="32" /> </div> <div class="text"> <h6>Success</h6> <span>User removed.</span> </div> <div class="dismiss"> <a href="#message-success"></a> </div> </div>'; if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: ./user_browser"); } } } } } } } } } } ?> It removes the user, etc, from the database, however, even though the 'hh374747838807479736408649630860846496782' and 'username' sessions haven't been set, I was still able to run the script. :S Any ideas? Thank you. Link to comment https://forums.phpfreaks.com/topic/201487-script-isnt-working-and-therefore-insecure/ Share on other sites More sharing options...
PFMaBiSmAd Posted May 12, 2010 Share Posted May 12, 2010 Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect. See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html Also, session_is_registered() only works when register_globals are ON (they were turned off by default in php4.2 in April of the year 2002.) You should use isset($_SESSION[...]) like you are using later in the same code. Link to comment https://forums.phpfreaks.com/topic/201487-script-isnt-working-and-therefore-insecure/#findComment-1057063 Share on other sites More sharing options...
adamjones Posted May 12, 2010 Author Share Posted May 12, 2010 Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect. See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html Ahh, thankyou! I never realised this Link to comment https://forums.phpfreaks.com/topic/201487-script-isnt-working-and-therefore-insecure/#findComment-1057064 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.