Session\Security - Member page

[ess14]

Im having some troubles with a member style login i have created. Basically a user logs on to use some flash software i have created. This flash program exports its variables into an email (via php) and sends the order details to me. unfortunately we have been receiveing orders from people who havnt received their login details yet. how is this so? below is some code im using... im hopeing someone can see the flaw in my programming and can figure out how its possible.  below is some of the code... let me know if u want to see more. i really need help on this as its not good for the client.

after the user enters the login details it is processed like so...
---------------------------
[code=php:0]
$email2 = $_POST['email2'];
$passwd = $_POST['passwd'];

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM odesign WHERE email='$email2' AND password='$passwd'");
$myrow = @mysql_fetch_array($sql);
if($myrow > 0){
$usrid = $myrow["usrid"];

        // Register some session variables!
        session_register('email2');
        $_SESSION['email2'] = $email2;
        session_register('passwd');
        $_SESSION['passwd'] = $passwd;
session_register('usrid');
        $_SESSION['usrid'] = $usrid;

[/code]

below is the code used for checking session data (signed in users only)
-------------------------------------
[code=php:0]
function session_checker(){
if(!session_is_registered('usrid')){
  $error1= "You are not logged in!";
header("Location: ../login.php?error1=$error1");
  exit();
}
}
[/code]
------------------------------------------------------


The site is: http://www.gamegear.com.au/onlinedesign/login.php
this is where the member-only page is: http://www.gamegear.com.au/onlinedesign/full/full.php
Please dont muck around with anything.. if you find any holes please let me know so i can fix it up.

much appreciated.

[fert]

you need to have session_start() at the top of your pages

[Jessica]

session_register is deprecated.

[WhiteyDude]

[code=php:0]
session_start();
//Make sure the above line is put somewhere high up (probably just after your <?php tag)
$email2 = $_POST['email2'];
$passwd = $_POST['passwd'];

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM odesign WHERE email='$email2' AND password='$passwd'");
$myrow = @mysql_fetch_array($sql);
if($myrow > 0){
$usrid = $myrow["usrid"];

        // Register some session variables!
        session_register('email2');
        $_SESSION['email2'] = $email2;
        $_SESSION['passwd'] = $passwd;
        $_SESSION['usrid'] = $usrid;

[/code]

------------------------------

[code=php:0]
function session_checker(){
if(!$_SESSION['usrid']){
  $error1= "You are not logged in!";
header("Location: http://www.gamegear.com.au/login.php?error1=$error1");
  exit();
}
}
[/code]


Is how I believe the above two are suggesting it :P.


Don't forget, if that function is in another file, it needs a session_start() up the top too :). Otherwise $_SESSION will be empty :P.

Also, you shouldn't put a variable straight into an SQL query after $_POST. Have a look at http://au3.php.net/manual/en/function.mysql-escape-string.php and http://au3.php.net/manual/en/function.addslashes.php


BTW, Aussie Aussie Aussie ^_^

[ess14]

Well i use session start() in all the pages where the user is using sessions.
i just left it out of that code.

i have the session checker() in its own file. that is included in pages that need it. those pages have the session start(), but the session checker page(as above) does not. im pretty sure it doesnt need it.

All the scripts work fine, i cannot get to the member only pages without a registered session.

I will try the update session code you have recommened. but id also like to know how you would bypass what i currently have. by all means go ahead and try... let me know how someone could have accessed the memeber pages.

I know ur saying session register is depreciated etc... but it seems to work?!

[ess14]

and your right.. i better do some data checks...maybe someone is stuffing with the query...

Do you think its possiblem being on a shared host, that if someone else is using the usrid session varible on their site that they could go directly to my site and still have the same registered session variables?

I dont feel like someon is doing this stuff maliciously...theres just no point to it. must be sme random accident type thing. i dont know? any more ideas?

[Nameless12]

Your script is vulnerable to sql injection

[ess14]

[quote author=Nameless12 link=topic=123754.msg511978#msg511978 date=1169607636]
Your script is vulnerable to sql injection
[/quote]
no shit. as per the last 3 posts.

[Jessica]

"Do you think its possiblem being on a shared host, that if someone else is using the usrid session varible on their site that they could go directly to my site and still have the same registered session variables?"

No, sessions are linked to the domain.

[ess14]

so what were saying is... for someone to get to the memebers page in my script, they have either...

stuffed around with some injection 'attack' for the login

OR

Problems with the way i have set up the session varibles might allow a random user to gain access to the members page.

is this all it can be? is both of those possible?
i really need to sort it 100%.

[ess14]

yes no? help please

[ess14]

[code=php:0]
if (get_magic_quotes_gpc()) {
    $stripTrack = stripslashes($_POST['tracknum']);
}
$tracksimple = $stripTrack;
$tracknum= mysql_real_escape_string(trim($tracksimple));

[/code]

Will that sort of data check be okay? is it correct?