Jump to content

Security


unidox

Recommended Posts

I have a cms, and I just found out that its not secure. I was just wondering how I can make it more secure. Right now, it sets cookies of the access level and the user level, when someone logs in. And in each page, to restrict access levels, it checks the cookie access to determine its access level. Thanks in advance!

 

So here are my files:

 

Code to check the user level on each page:

 

<?php
if ($_COOKIE['uniqueid']) {
?>
<?php
    $a = $_COOKIE['access'];
global $levels;
    if ($a <= $levels[pages]) {
            PAGE CONTENT
      }

<?php
    if ($a > $levels[pages]) {
            if (!$_REQUEST['m']) {
                require_once("inc/db.inc.php");
              	require_once ("inc/func2.inc.php");
                getHeader();
                echo "Sorry, you dont have access to this page!";
            }
        }

 

login.php:

 

<?php
$page = "login";
require_once ("inc/db.inc.php");
require_once ("files/login.php");
if ($_REQUEST['m']) {
	if ($_REQUEST['m'] == "1") {
		$loginpass = 		$_POST['login_pass'];
		$password = 		md5($loginpass);
		$loginname = 		$_POST['login_name'];
		$checkrows = 		mysql_query ("SELECT * FROM cp_users WHERE username='$loginname' && password='$password'") or die (mysql_error());
		$rowcount = 		mysql_num_rows ($checkrows);
		if ($rowcount == "0") {
				showError("User/Login Error");

		}
		if ($rowcount != "0") {
			header ("Location: index.php?page=admin");
			$time = 		date("h:i:a");
			$date = 		date("m/d/Y");
			$last_logged = 	$time . "\n(" . $date . ")";
			$ip = 			getenv ("REMOTE_ADDR");
			MYSQL_QUERY("UPDATE cp_users SET last_logged='$last_logged', cur_ip='$ip' WHERE username='$loginname'") or die (mysql_error());
			while ($mysql=mysql_fetch_array($checkrows)) {
				setcookie("access", $mysql[access],time()+60*60*24*30);
			}
			setcookie ("uniqueid",$loginname,time()+60*60*24*30);
			exit;
		} 
	}		
	elseif ($_REQUEST['m'] == "2") {
		header ("Location: index.php?page=login");
		setcookie ("uniqueid");
		setcookie ("access");
		exit;
	}
}
else {
	if ($_COOKIE['uniqueid'] == "") {
		$checkfields = "login_name&login_pass";
		$errors = "Enter a username&Enter a password!";
		$titles = "Username:&Password:";
		$fields = "login_name&login_pass";
		$type = "text&password";
		$size = "30&30";
		$maxlength = "25&25";
		createJSValid($checkfields,$errors);
		createForm($titles,$fields,$type,$size,$maxlength,'1','','','','1');

	}
	else {
		showError("You are already logged in, <a href=\"" . $_SERVER['PHP_SELF'] . "?page=login&m=2\">logout?</a><br /><br /><a href='index.php?page=admin'>Admin Home</a>");
	}
}
?>

Link to comment
Share on other sites

well, i tried this, but now I get an error:

 

 

Parse error: syntax error, unexpected '}' in /home/clansuni/public_html/adm_files/login.php on line 26

 

Here is the updated code:

 

<?php
    session_start();
$page = "login";
require_once ("inc/db.inc.php");
require_once ("files/login.php");
if ($_REQUEST['m']) {
	if ($_REQUEST['m'] == "1") {
		$loginpass = 		$_POST['login_pass'];
		$password = 		md5($loginpass);
		$loginname = 		$_POST['login_name'];
		$checkrows = 		mysql_query ("SELECT * FROM cp_users WHERE username='$loginname' && password='$password'") or die (mysql_error());
		$rowcount = 		mysql_num_rows ($checkrows);
		if ($rowcount == "0") {
				showError("User/Login Error");

		}
		if ($rowcount != "0") {
			header ("Location: index.php?page=admin");
			$time = 		date("h:i:a");
			$date = 		date("m/d/Y");
			$last_logged = 	$time . "\n(" . $date . ")";
			$ip = 			getenv ("REMOTE_ADDR");
			MYSQL_QUERY("UPDATE cp_users SET last_logged='$last_logged', cur_ip='$ip' WHERE username='$loginname'") or die (mysql_error());
                while ($mysql=mysql_fetch_array($checkrows)) {
                    $_SESSION['access'] = $mysql[access]
			}
                $_SESSION['uniqueid'] = $loginname
                $_SESSION['password'] = $password
			exit;
		} 
	}		
	elseif ($_REQUEST['m'] == "2") {
		header ("Location: index.php?page=login");
		session_destroy();
		exit;
	}
}
else {
	if ($_COOKIE['uniqueid'] == "") {
		$checkfields = "login_name&login_pass";
		$errors = "Enter a username&Enter a password!";
		$titles = "Username:&Password:";
		$fields = "login_name&login_pass";
		$type = "text&password";
		$size = "30&30";
		$maxlength = "25&25";
		createJSValid($checkfields,$errors);
		createForm($titles,$fields,$type,$size,$maxlength,'1','','','','1');

	}
	else {
		showError("You are already logged in, <a href=\"" . $_SERVER['PHP_SELF'] . "?page=login&m=2\">logout?</a><br /><br /><a href='index.php?page=admin'>Admin Home</a>");
	}
}
?>

Link to comment
Share on other sites

i fixed the error, but now it just keeps redirecting to the login page. Here is part of the func:

 

	$islogged = preg_match("/index.php?page=login/", $_SERVER['PHP_SELF']);
if ($islogged == "0") {
	if ($_SESSION['uniqueid'] == "") {
		header ("Location: index.php?page=login");
		exit;
	}
}

if ((!$_REQUEST['method']) || (!$_SESSION['uniqueid'])) {
	$access = $_SESSION['access'];
	if (array_search($page,$levels)) {
		if ($access <= $levels[$page]) {
			echo $access . $levels[$page];
			showError('You do not have access to this page.');
			exit;
		}
	}
}

Link to comment
Share on other sites

Have a look at this article about a login system using sessions

 

http://www.olate.co.uk/articles/185

 

In the function that logs a user in, you could have a field in the database with their user level and encrypt that in the session and when you use the auth function you can add some extra code to compare the encrypted user level with the original user level in the session to see if it has been change and if it has don't allow the script to run.

 

Link to comment
Share on other sites

Can you explain exactly what your trying to do here?

 

$islogged = preg_match("/index.php?page=login/", $_SERVER['PHP_SELF']);
if ($islogged == "0") {
 if ($_SESSION['uniqueid'] == "") {
   header ("Location: index.php?page=login");
   exit;
 }
}

 

That piece makes little sense. Firstly, why are you using preg_match at all? Just check if $_GET['page'] == 'login'. Secondly, preg_match returns an int, your checking for a string. Really, its pretty hard to see what your trying to achive with this piece, you'll need to explain it.

Link to comment
Share on other sites

First, try isset or empty instead == ''.

 

Second, I see no reason in using preg_match, as thorpe mentioned.  There is no reason to include the overhead of the regex engine. Just do

if ($_SERVER['PHP_SELF'] == '/index.php?page=login/') {
  if (empty($_SESSION['uniqueid'])) {
    header("Location: index.php?page=login");
    exit;
  }
}

 

Right?

Link to comment
Share on other sites

Here is the updated code:

 

<?php
    session_start();
$page = "login";
require_once ("inc/db.inc.php");
require_once ("files/login.php");
if ($_REQUEST['m']) {
	if ($_REQUEST['m'] == "1") {
		$loginpass = 		$_POST['login_pass'];
		$password = 		md5($loginpass);
		$loginname = 		$_POST['login_name'];
		$checkrows = 		mysql_query ("SELECT * FROM cp_users WHERE username='$loginname' && password='$password'") or die (mysql_error());
		$rowcount = 		mysql_num_rows ($checkrows);
		if ($rowcount == "0") {
				showError("User/Login Error");

		}
		if ($rowcount != "0") {
			header ("Location: index.php?page=admin");
			$time = 		date("h:i:a");
			$date = 		date("m/d/Y");
			$last_logged = 	$time . "\n(" . $date . ")";
			$ip = 			getenv ("REMOTE_ADDR");
			MYSQL_QUERY("UPDATE cp_users SET last_logged='$last_logged', cur_ip='$ip' WHERE username='$loginname'") or die (mysql_error());
                while ($mysql=mysql_fetch_array($checkrows)) {
                    $_SESSION['access'] = $mysql[access]
			}
                $_SESSION['uniqueid'] = $loginname
                $_SESSION['password'] = $password
			exit;
		} 
	}		
	elseif ($_REQUEST['m'] == "2") {
		header ("Location: index.php?page=login");
		session_destroy();
		exit;
	}
}
else {
	if ($_COOKIE['uniqueid'] == "") {
		$checkfields = "login_name&login_pass";
		$errors = "Enter a username&Enter a password!";
		$titles = "Username:&Password:";
		$fields = "login_name&login_pass";
		$type = "text&password";
		$size = "30&30";
		$maxlength = "25&25";
		createJSValid($checkfields,$errors);
		createForm($titles,$fields,$type,$size,$maxlength,'1','','','','1');

	}
	else {
		showError("You are already logged in, <a href=\"" . $_SERVER['PHP_SELF'] . "?page=login&m=2\">logout?</a><br /><br /><a href='index.php?page=admin'>Admin Home</a>");
	}
}
?>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.