How secure does this look?

[Salis]

I'm about security on my site. My goal is to create a MySQL and DBase driven site. I also want people to register and post their work. (It's a multimedia website for flash, photoshop drawings etc.) Any way I've been working on a session script that I hope is secure. I'm not the best php coder I know that. But I started php about 6 months ago.

 

<?php
session_start();
$UMS = $_SESSION['UserMS'];

define("6F13E6",true);
@require($_SERVER['DOCUMENT_ROOT'] . "/php/required/SiteVars.php");

// Article 0 is the "Welcom To Vx-FX" or "Browse Articles" article, I haven't decided
$AID = (is_numeric($_GET['article'])) ? $_GET['article'] : 0;

$SQLClass = new SQLClass;
$MPRS = $SQLClass->GetMPRs($AID);

// User/Guest PowerLevel vs Minimium Page Requirement System
if( !$UMS['PowerLevel'] >= $MPRS['PowerLevel'] ) {
	header("Location: $Error403");
}
else {
	if( $UMS['LoggedIn'] || $UMS['Time4Expire'] > time() ) {
		session_destroy();
		header("Location: $LoginPage");	
	}
	else {
		//Every thing is good.. Post/upload/comment code here.
	}
}
?>

 

About $UMS and $MPRS:

$UMS -> User Management System

This includes:

PowerLevel;

0 = Guest - No power at all execpt to browse the site.

1 = Member - Allowed to post comments and upload images.

2 = Moderator - All of 0 and 1 but with the ability to edit posts and delete images.

3 = Admin - All poweres of 0 - 2 with the power to edit accounts of lesser power.

4 = Super Admin/Owner - What ever the heck they want to do. (Basically only me)

 

Username;

Name of the logged in member

 

USSID;

User Session ID

 

LoggedIn;

Value is 'true' if logged is other wise 'false'. 'false' by default

 

Time4Expire;

Set time till expire. Once value is greater than time() then the user is logged out.

================================================================================

 

$MPRS -> Minimium Page Requirement System

This includes:

PowerLevel;

The required User Power Level to access the page of equal or grater power

 

AllowComment;

If 'true' members and post comments. Default is 'false'

[cooldude832]

it looks okay as long as your inputting of "power levels" is strong enough that there isn't a way anyone can become any power level

[Salis]

The User PowerLevels comes from the database when they login. The only way I can see them changing this is by SQL Injection (Which I clean any way) or if they some how manage to access the DBase on my server. I've also added a script to check if the login came from my domain as well. If not no access for them.

[corillo181]

just set a colum from 0 threw 4 and set the power at your will..

 

and just set a session to check on the level of the person if $_SESSION['LEVEL']>2 blah blah

[cooldude832]

if secruity is a real big issue for you set a baubblefish code that a user has to have set to be a certain power level.  Then md5 it.  So like if there are level 1

secret baubble fish code is md5("n00b") level2 baubblefish is md5("advanced") etc etc that way you get a double check so if you get people adjusting around it they will never get in becausea there secret code will not match properly.

[Salis]

just set a colum from 0 threw 4 and set the power at your will..

 

and just set a session to check on the level of the person if $_SESSION['LEVEL']>2 blah blah

 

I see what you're saying but, there will be some pages that I may want an elevated PowerLevel User to accesss. Each article is saved in the DBase, along with who posted it, when it was posted, the posters IP and what Powerlevel can access it. Some pages may be members only other may be for Admin Only. I also plan on using a script similar to this for a forum.

 

I like to design for simple modifications as well. There have been times where I had to re-write whole scripts for the most stupid reasons. But I'm hoping that this $UMS and $MPRS make life much easier.

[cooldude832]

as long as powerlevels going into the db are fool proof just load it into the session and then make sure it ain't modified on any other pages

[corillo181]

like he said.. yeah plus i dont think is a good idea, by ips because ips can change easily becoming a problem for your mods..

 

a session with the power level attach to it is the best way to do it because you will be the one who decide on the control level of your users and unless you let anyone in the database you wont have any problems.

[cooldude832]

which is why I'm suggesting you have a second mysql table that contains the baubble fish keys and when they are modified you insert the md5 of the baubble fish into that user's row.  That way if someone tries to append their row they will never get that level unless their baubblefish also matches

[Salis]

The only reason I'd log the IP is for spam. I've also designed a login image validation that asks a math question, but if the bots some how get around that, the I have the IP which I could add to a ban list.

[cooldude832]

IP banning is 100% pointless because 90% of connections are ddns and the other 10% do not tell you their IP

[Salis]

which is why I'm suggesting you have a second mysql table that contains the baubble fish keys and when they are modified you insert the md5 of the baubble fish into that user's row.  That way if someone tries to append their row they will never get that level unless their baubblefish also matches

 

I kind of understand what you're saying. I would check for the PowerLevel of the user the Check the MD5 of a reference phrase?

 

So if I have a use who's power is 1 and the phrase for power 1 is say md5('small_stuff') and they were to change their level to 3 or 4 it wont match the md5 phrase. I like that a lot actually! I think I'll use this.

[cooldude832]

i'd suggest storing the actual keys somewhere else either in a separate mysql table or in flat file that is locked down.  just make sure that you have it on every user.

[Salis]

IP banning is 100% pointless because 90% of connections are ddns and the other 10% do not tell you their IP

 

Actually I can kind'a debate that. I understand that not every one can use a static ip, but I once created a fake guest book because i kept getting spammed. Well after looking at the stats I found a few ip's that were  responsible for a good 80% or (800 posts a day)

[cooldude832]

i'm not saying it won't work, but the functionality of it will not be as fool proof as you think

[chocopi]

Well surely if it stops some its worth having

[Salis]

Oh no. I understand what your saying. I've never had to ban an IP before and my newer tables don't even have an IP row. Chances are I won't even include it. I'll save a few bytes a post that way too any how.

[Salis]

Well surely if it stops some its worth having

 

Yeah and if I ever did have to ban an IP it would be because they keep spamming. But it just takes so much work to stop spam that it's not even worth it. The only thing I did was make an image that asked "What 5 + 3?" or some other random numbers. I don't think a bot can figure that out. But I'm not worked up over spam... the moment. I just want to make sure my little session script is secure. And with cooldude832 suggestion I think this would be perfect.