jtsandlund Posted November 12, 2007 Share Posted November 12, 2007 Hello people at phpfreaks, and thanks in advance for your help. I've been having some trouble with a simple forum for our small puppy website. People are posting advertisements and other garbage to the forum of the website, and they aren't even registered members. I'm not even sure how they do it, since it seems like you can't post without being logged in. At first I believed it was that they figured out the password for the database user that the config.php file uses to connect to the database. So I changed that. But I'm thinking that's not it, because, after they posted, I got emails sent to me through the add_topic.php file. Somehow they're hacking my script, getting past the if session is registered, and posting. I did modify the top of the script, but I don't think that's the problem. <? session_start(); if(!session_is_registered(name)){ header("location:main_login.php"); } is what it used to say. Now it says, <? session_start(); if(!(session_is_registered(name) && session_is_registered(password))){ header("location:main_login.php"); } ?> . The way I have the forum set up is people log on at the main_login.php page, create a topic at the create_topic.php page. This page has a form that sends the post to add_topic.php, which plugs the info into the database. Then, view_topic.php is used to view it... My website is www.familywheatens.com. Here is the entire add_topic.php file until the mailing script: <? session_start(); if(!(session_is_registered(name) && session_is_registered(password))){ header("location:main_login.php"); } ?> <? include('config.php'); $tbl_name="forum_question"; // Table name $tbl_name2="registered_members"; // Members Table // get data that sent from form $topic=$_POST['topic']; $detail=$_POST['detail']; $uname=$name; $datetime=date("m/d/y "); //create date time $sql="INSERT INTO $tbl_name(topic, detail, uname, datetime)VALUES('$topic', '$detail', '$uname', '$datetime')"; $result=mysql_query($sql); if($result){ echo "<meta http-equiv='refresh' content='0;url=http://www.familywheatens.com/main_forum.php'>"; } else { echo "ERROR"; } and here is the create_topic.php code of concern: <form id="form1" name="form1" method="post" action="add_topic.php"> <td> <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td colspan="3" bgcolor="#ffccaa"><strong>Create New Topic</strong> </td> </tr> <tr> <td width="14%"><strong>Topic</strong></td> <td width="2%">:</td> <td width="84%"><input name="topic" type="text" id="topic" size="50" /></td> </tr> <tr> <td valign="top"><strong>Message</strong></td> <td valign="top">:</td> <td><textarea name="detail" cols="50" rows="5" id="detail"></textarea></td> </tr> <tr> <td> </td> <td> </td> <td><input type="submit" name="Submit" value="Submit" /> <input type="reset" name="Submit2" value="Reset" /></td> If there is anything else I should know about this code, please let me know. By the way, you probably want to know that my mysql database server is 4.1.22-standard (protocol version 10), and I use PHPMyAdmin 2.11.0. I have cPanel X. Thank you very much, this has been bothering me a while. I've tried my hand at googling this problem to death, but I need some help. Thanks, --Jacob Quote Link to comment https://forums.phpfreaks.com/topic/77064-security-issue-non-members-posting-to-my-forum/ Share on other sites More sharing options...
drakal30 Posted November 12, 2007 Share Posted November 12, 2007 For argument sake lets say your not being hacked I think your session validation code is not working, I would make sure your session vars are being set correctly. Try setting up a testbed and echo out the session variables and see if they are returning the right variables. Quote Link to comment https://forums.phpfreaks.com/topic/77064-security-issue-non-members-posting-to-my-forum/#findComment-390270 Share on other sites More sharing options...
jtsandlund Posted November 13, 2007 Author Share Posted November 13, 2007 Well, i think your right. I didn't go through the checking each variable, but I realized my code was wrong. My authenticating script used to have session_register, but no $HTTP_SESSION_VARS to set what it was. So here is the script now: // username and password sent from signup form $name=$_POST['name']; $password=$_POST['password']; $sql="SELECT * FROM $tbl_name WHERE name='$name' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $name and $password, table row must be 1 row if($count==1){ // Register $name, $password and redirect to file "main_forum.php" $_SESSION['name'] = $name; $_SESSION['password'] = $password; header("location:main_forum.php"); } else { . Oh, and I'm still not sure all you all were able to post to the forum. Just curious. Thanks very much for pointing me in the right direction, --Jacob Quote Link to comment https://forums.phpfreaks.com/topic/77064-security-issue-non-members-posting-to-my-forum/#findComment-390507 Share on other sites More sharing options...
kellz Posted November 13, 2007 Share Posted November 13, 2007 I think you should use md5 on the password.. $_SESSION['password'] = md5($password); and have the password in the database as md5 too (ofcourse or it wont match) And make a limit to how many times the same user can login in some time period like: session_start(); if (isset(SESSION['logins']) && (SESSION['logins']) < 5) { echo 'too many login attempts'; exit; } if ($password == false) { SESSION['login']--; //is that right? echo 'wrong password'; } or err something like that^^ lol it stops people guessing the password to many times Quote Link to comment https://forums.phpfreaks.com/topic/77064-security-issue-non-members-posting-to-my-forum/#findComment-390533 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.