Jump to content

Script isn't working, and therefore insecure :(

adamjones

By adamjones
in PHP Coding Help

 Share

Recommended Posts

adamjones Regular Member

adamjones

Posted
Posted

Hi.

I have a basic script which removes a user from my database, but only those logged into the CMS can run the script. This is done via sessions.

 

Here is my code;

 

<?php

session_start();

if(!session_is_registered(hh374747838807479736408649630860846496782)) {
header("location:./");
}

if(!session_is_registered(username)) {
header("location:./");
}

require_once('config.php');
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

$qry="SELECT * FROM fuse_rights WHERE username='".$_SESSION['username']."'";
$result=mysql_query($qry);

if($result) {
	if(mysql_num_rows($result) == 1) {

		$checks = mysql_fetch_assoc($result);
		$hk = $checks['housekeeping'];
		$comp = $checks['competitions'];
		$news = $checks['news'];
		$events = $checks['events'];
		$twitter = $checks['twitter'];
		$forum = $checks['forum_admin'];
		$pages = $checks['pages'];
		$users = $checks['users'];
		$settings = $checks['settings'];
		$bans = $checks['bans'];			
		}
		}

if(isset($_SESSION['username']) && $hk == 0)
{ $errflag = true;
	$errmsg_arr[] = 'You do not have access to the Intra.';
	if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: ./error");
}
}
if(isset($_SESSION['username']) && $users == 0)
{ header("location: ./dash");
}

$username=$_GET['username'];

$sql="DELETE FROM users WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM badges WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM profiles WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM fuse_rights WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM coins WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM characters WHERE owner='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM bans WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM alerts WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$sql="DELETE FROM achs WHERE username='$username'";
$result=mysql_query($sql);

if($result){

$errflag = true;
	$errmsg_arr[] = '<div id="message-success" class="message message-success">
							<div class="image">
								<img src="resources/images/icons/success.png" alt="Success" height="32" />
							</div>
							<div class="text">
								<h6>Success</h6>
								<span>User removed.</span>
							</div>
							<div class="dismiss">
								<a href="#message-success"></a>
							</div>
						</div>';
	if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: ./user_browser");
}
}
}
}
}
}
}
}
}
}
?>

 

It removes the user, etc, from the database, however, even though the 'hh374747838807479736408649630860846496782' and 'username' sessions haven't been set, I was still able to run the script. :S

 

Any ideas?

Thank you.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect.

 

See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html

 

Also, session_is_registered() only works when register_globals are ON (they were turned off by default in php4.2 in April of the year 2002.) You should use isset($_SESSION[...]) like you are using later in the same code.

Link to comment
Share on other sites
adamjones Regular Member

adamjones

Posted
  • Author
Posted

Each of your header() redirects need exit; statements after them to prevent the remainder of the code on the page from being executed while the browser requests the URL in the Location: redirect.

 

See my posts in the following thread for more information - http://www.phpfreaks.com/forums/index.php/topic,297383.0.html

 

Ahh, thankyou! I never realised this :)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.