Session Variables remain set for just one page view and SQL Injection Prevention

[academ1c]

Hi all, got another question. I'm working on security for my database management project 'cept I'm having some trouble with it. Firstly, If I login I can go to a page that needs authorization just fine but as soon as I load another page it asks me to login again. Here is my functions.php script:

<?php
//salt fuction
function generate_salt()
{
$salt = '';

for ($i = 0; $i < 32; $i++)
{
	$salt .= chr(rand(35, 126));
}

return $salt;
}

function user_register($username, $password)
{
$salt = generate_salt(); //generate the salt
$encrypted = md5(md5($password).$salt); //encrypt the password
$query = "INSERT INTO user (username, password, salt) VALUES ('$username', '$encrypted', '$salt')";
mysql_query($query) or die ('Could not create user');
}

function user_login($username, $password)
{
//get the user's salt
$query = "SELECT salt FROM user WHERE username = '$username' LIMIT 1";
$result = mysql_query($query);

if (mysql_num_rows($result) > 0)
{
	//get the user
	$user = mysql_fetch_array($result);

	//use salt to re-encrypt password and check for a match
	$encrypted_pass = md5(md5($password).$user['salt']);

	//get userid from username + encrypted password
	$query = "SELECT userid, username FROM user WHERE username = '$username' AND password = '$encrypted_pass'";
	$result = mysql_query($query);

	if (mysql_num_rows($result) > 0)
		$user = mysql_fetch_array($result);

		//encrypt the data that will be stored in the session
		$encrypted_id = md5($user['userid']);
		$encrypted_name = md5($user['username']);

		//store the data in a session
		$_SESSION['userid'] = $user['userid'];
		$_SESSION['username'] = $user['$username'];
		$_SESSION['encrypted_id'] = $encrypted_id;
		$_SESSION['encrypted_name'] = $encrypted_name;

		//return ok code
		return 'Correct';
	}
	else
	{
		return 'Invalid password,';
	}
}
else
{
	return 'Invalid username,';
}
}

function user_logout()
{
//unset all session vars and destory session data
session_unset();
session_destroy();
}

function is_authed()
{
     // Check if the encrypted username is the same
     // as the unencrypted one, if it is, it hasn't been changed
     if (isset($_SESSION['userid']) && md5($_SESSION['userid']) == $_SESSION['encrypted_id'])
     {	
        return true;
     }
     else
     {
        return false;
     }
}

//new function from roScripts:
//http://www.roscripts.com/Protect_against_SQL_Injection-72.html
//use on mysql statements to protect against mysql injection attacks 
function clean_content($content) { 
  $content = stripslashes(trim($content)); 
  $content = nl2br($content); 
  $content = htmlentities($content); 
  return $content; 
} 

?>

Note The last bit with the comments, that's for my SQL injection prevention which I'll talk about later.

 

Header file:

<?php
session_start();

$db_server = "localhost";
$db_username = "root";
$db_password = "";
$db_name = "forensic";

$con = mysql_connect($db_server,$db_username,$db_password);
if (!$con)
  {
    die('Could not connect to database: ' . mysql_error());
  }
else
  {
    print '<div align="center">Connection to database was successful.<br /></div>';
  }
  
mysql_select_db($db_name, $con) or die (mysql_error());

srand(); //seed random number generator to improve "randomness" of salt

include 'functions.php'; //include functions script (generate salt, user register, login, logout, check authorization)


if (!is_authed())
{
die ("<br /><p align='center'>You are not logged in. Please <a href='login_form.php'>login here</a></p>.");
}

?>

 

Finally, the login form:

<?php if (isset($login_error)) { ?>
<?php echo $login_error; ?> please try again.
<?php } ?>

<form action="login.php" method="post">

<table>

<tr><td><b>Username:</b></td>
<td><input type="text" size="20" maxlength="20" name="username"
<?php if (isset($_POST['username'])) { ?> value="<?php echo $_POST['username']; ?>" <?php } ?>/></td></tr>

<tr><td><b>Password:</b></td>
<td><input type="password" size="20" maxlength="32" name="password" /></td></tr>

</table>

<input type="submit" name="submit" value="Login" />
</form>

 

I *very* slightly modified this tutorial to do my authorization stuff.

 

Not sure what it is wrong with it there. If it's more than just a simple error with my code and you need to test it, just ask and I'll zip + send it.

 

The other point is SQL injection for my login. Don't know if it's actually prone to it. The code below the comments at the end of the first script (just copied and pasted it from roScripts and left it there) is what I might use for SQL injection prevention but like I said, I'm not sure if it's necessary. Any guidance on this would be great.

 

Sorry if any of this is hard to understand, I'm not very good at explaining stuff

[pocobueno1388]

Try putting session_start() at the top of the page with the functions.

 

As for SQL injections, make sure your using mysql_real_escape_string() on all variables used within a query.

[academ1c]

session_start(); is already at the top of every page. Should mention also that, if I load a page and it says authentication is fine, it will then tell me to login again as soon as I refresh it.

 

With the SQL injections, would it be best just to make another variable which holds the string escaped one? For example:

$a = 5;

$a_escaped = mysql_real_escape_string($a);

[pocobueno1388]

Well, you really only need to use it on data that comes from the user, like POST data. There's no need to make an entire new variable for the escaped string.

$var = mysql_real_escape_string($_POST['var']);

 

Hmm...I'm still looking at your session issue, so far I can't find anything wrong.

[academ1c]

Okay, thanks for the SQL thing, I'll set that up now. Yeah, the session thing is strange. Thanks for your help though