Jump to content

I have been hacked and I am trying to use cookies to help with this issue

chrispos

By chrispos
in PHP Coding Help

Recommended Posts

chrispos Member

chrispos

Posted
Posted

I am using php 5 and I am having issues with cookies. I have looked at the help pages here but still stuck. A site had been hacked via a database and I am making it more secure with the use of session control ip address and cookies. The issue is this I need to run a database query to test if the two cookies set match that with the data in the database. I am using the following code in the head section.

<?php
session_start();
$session = session_id();
$ip = $_SERVER['REMOTE_ADDR'];
$user = stripslashes(trim($_POST['user']));
$pass = stripslashes(trim($_POST['pass']));
$username="$user";
$encrypt_user=md5($username);
$password="$pass";
$encrypt_password=md5($password);
include 'config.php';		
$query = "SELECT * FROM `users`WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){
while($row = mysql_fetch_row($result)){
// set the cookies
setcookie("cookie[pas]", "$encrypt_password");
setcookie("cookie[user]", "$encrypt_user");
$query = ("UPDATE`users`SET`sid`='$session', `ip` = '$ip'WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'");
$result = mysql_query($query) or die (mysql_error());
}
}
 else {
echo 'No rows found';
}
?>

 

This works fine now when I add this bit of code I can see the cookie name and value.

<?php
echo "$ip<br>";
if (isset($_COOKIE['cookie'])) {
    foreach ($_COOKIE['cookie'] as $name => $value) {
        $name = htmlspecialchars($name);
        $value = htmlspecialchars($value);
        echo "$name : $value <br />\n";
    }
}
?>

 

I can see the ip address and the two cookies named user and pass but when I try to get the individual cookie details nothing comes out and this is the issue as I need to test each of the two individual cookies against the info in the database so I can include pages to make it all secure. I have tried

<?php
if (isset($_COOKIE['user'])) {
        echo "$encrypt_user";
    }
?>

encrypt_user being the username from the form. I have also tried

 

<?php
if (isset($_COOKIE['user'])) {
        echo "$_COOKIE['user']";
    }
?>

 

These are not showing. I do not need to see it just run a query to test that each cookie matches the encrypt data in the MySQL. Any ideas would be great if you can help and if not have a great weekend  ;)

 

cpd Member

cpd

Posted
Posted

A few things to think about when making something more secure.

 

1. Don't use cookies for usernames and passwords as they can be tampered with and are stored on the clients computer.

 

2. When trying to encrypt passwords or anything I would never use a single md5 hash as it can be easily broken.

 

3. If your trying to manage the user as they move around the website youn should do it through sessions.

 

I only took a brief look at your code but you should rethink your security methods before going any further. Not sure if anybody else has a different opinion? Security is an extremely large topic.

chrispos Member

chrispos

Posted
  • Author
Posted

Firstly, why on earth are you storing a users password (hashed or not) in a cookie?

 

Now your issue, you have not set any cookie named "user".

 

Hi does this not make the cookie?

<?php
setcookie("cookie[user]", "$encrypt_user");
?>

 

I understand about the user and password issue I can set any cookie that is not the issue. But if you say a cookie is named user is not there then I guess it is not there but thank you for taking a look :'(

chrispos Member

chrispos

Posted
  • Author
Posted

Hi does this not make the cookie?

<?php
setcookie("cookie[user]", "$encrypt_user");
?>

 

You would need to use:

 

<?php
if (isset($_COOKIE['cookie'])) {
  echo $_COOKIE['cookie']['user'];
}
?>

 

to access that value.

 

Thank you so much that is a great help. I have looked all over the net and nothing came back with this. It works great and once again many thanks :)

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.