adamjones Posted May 12, 2010 Share Posted May 12, 2010 Hi. I have a basic script which removes a user from my database, but only those logged into the CMS can run the script. This is done via sessions. Here is my code; <?php session_start(); if(!session_is_registered(hh374747838807479736408649630860846496782)) { header("location:./"); } if(!session_is_registered(username)) { header("location:./"); } require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $qry="SELECT * FROM fuse_rights WHERE username='".$_SESSION['username']."'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result) == 1) { $checks = mysql_fetch_assoc($result); $hk = $checks['housekeeping']; $comp = $checks['competitions']; $news = $checks['news']; $events = $checks['events']; $twitter = $checks['twitter']; $forum = $checks['forum_admin']; $pages = $checks['pages']; $users = $checks['users']; $settings = $checks['settings']; $bans = $checks['bans']; } } if(isset($_SESSION['username']) && $hk == 0) { $errflag = true; $errmsg_arr[] = 'You do not have access to the Intra.'; if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: ./error"); } } if(isset($_SESSION['username']) && $users == 0) { header("location: ./dash"); } $username=$_GET['username']; $sql="DELETE FROM users WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM badges WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM profiles WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM fuse_rights WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM coins WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM characters WHERE owner='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM bans WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM alerts WHERE username='$username'"; $result=mysql_query($sql); if($result){ $sql="DELETE FROM achs WHERE username='$username'"; $result=mysql_query($sql); if($result){ $errflag = true; $errmsg_arr[] = '<div id="message-success" class="message message-success"> <div class="image"> <img src="resources/images/icons/success.png" alt="Success" height="32" /> </div> <div class="text"> <h6>Success</h6> <span>User removed.</span> </div> <div class="dismiss"> <a href="#message-success"></a> </div> </div>'; if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: ./user_browser"); } } } } } } } } } } ?> It removes the user, etc, from the database, however, even though the 'hh374747838807479736408649630860846496782' and 'username' sessions haven't been set, I was still able to run the script. :S Any ideas? Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/201487-script-isnt-working-and-therefore-insecure/ Share on other sites More sharing options...
PFMaBiSmAd Posted May 12, 2010 Share Posted May 12, 2010 Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect. See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html Also, session_is_registered() only works when register_globals are ON (they were turned off by default in php4.2 in April of the year 2002.) You should use isset($_SESSION[...]) like you are using later in the same code. Quote Link to comment https://forums.phpfreaks.com/topic/201487-script-isnt-working-and-therefore-insecure/#findComment-1057063 Share on other sites More sharing options...
adamjones Posted May 12, 2010 Author Share Posted May 12, 2010 Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect. See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html Ahh, thankyou! I never realised this Quote Link to comment https://forums.phpfreaks.com/topic/201487-script-isnt-working-and-therefore-insecure/#findComment-1057064 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.