Jump to content

Security Issue: non-members posting to my forum


Recommended Posts

Hello people at phpfreaks, and thanks in advance for your help.  I've been having some trouble with a simple forum for our small puppy website.  People are posting advertisements and other garbage to the forum of the website, and they aren't even registered members.  I'm not even sure how they do it, since it seems like you can't post without being logged in.  At first I believed it was that they figured out the password for the database user that the config.php file uses to connect to the database.  So I changed that.  But I'm thinking that's not it, because, after they posted, I got emails sent to me through the add_topic.php file.  Somehow they're hacking my script, getting past the if session is registered, and posting.  I did modify the top of the script, but I don't think that's the problem. 

<?
session_start();
if(!session_is_registered(name)){
header("location:main_login.php");
}

is what it used to say.  Now it says,

<?
session_start();
if(!(session_is_registered(name) && session_is_registered(password))){
header("location:main_login.php");
}
?>

.  The way I have the forum set up is people log on at the main_login.php page, create a topic at the create_topic.php page.  This page has a form that sends the post to add_topic.php, which plugs the info into the database.  Then, view_topic.php is used to view it...  My website is www.familywheatens.com.  Here is the entire add_topic.php file until the mailing script:

<?
session_start();
if(!(session_is_registered(name) && session_is_registered(password))){
header("location:main_login.php");
}
?>
<?
include('config.php');
$tbl_name="forum_question"; // Table name
$tbl_name2="registered_members"; // Members Table


// get data that sent from form
$topic=$_POST['topic'];
$detail=$_POST['detail'];

$uname=$name;


$datetime=date("m/d/y "); //create date time

$sql="INSERT INTO $tbl_name(topic, detail, uname, datetime)VALUES('$topic', '$detail', '$uname', '$datetime')";
$result=mysql_query($sql);

if($result){
echo "<meta http-equiv='refresh' content='0;url=http://www.familywheatens.com/main_forum.php'>";
}
else {
echo "ERROR";
}

 

and here is the create_topic.php code of concern:

<form id="form1" name="form1" method="post" action="add_topic.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3" bgcolor="#ffccaa"><strong>Create New Topic</strong> </td>
</tr>
<tr>
<td width="14%"><strong>Topic</strong></td>
<td width="2%">:</td>
<td width="84%"><input name="topic" type="text" id="topic" size="50" /></td>
</tr>
<tr>
<td valign="top"><strong>Message</strong></td>
<td valign="top">:</td>
<td><textarea name="detail" cols="50" rows="5" id="detail"></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="Submit" value="Submit" /> <input type="reset" name="Submit2" value="Reset" /></td>

If there is anything else I should know about this code, please let me know.

 

By the way, you probably want to know that my mysql database server is 4.1.22-standard (protocol version 10), and I use PHPMyAdmin 2.11.0.  I have cPanel X.

 

Thank you very much, this has been bothering me a while.  I've tried my hand at googling this problem to death, but I need some help.  Thanks,

 

--Jacob

For argument sake lets say your not being hacked I think your session validation code is not working, I would make sure your session vars are being set correctly.  Try setting up a testbed and echo out the session variables and see if they are returning the right variables.

Well, i think your right.  I didn't go through the checking each variable, but I realized my code was wrong.  My authenticating script used to have session_register, but no $HTTP_SESSION_VARS to set what it was.  So here is the script now:

// username and password sent from signup form

$name=$_POST['name'];
$password=$_POST['password'];

$sql="SELECT * FROM $tbl_name WHERE name='$name' and password='$password'";
$result=mysql_query($sql);


// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $name and $password, table row must be 1 row

if($count==1){
// Register $name, $password and redirect to file "main_forum.php"
$_SESSION['name'] = $name;
$_SESSION['password'] = $password;
header("location:main_forum.php");
}
else {

.

Oh, and I'm still not sure all you all were able to post to the forum.  Just curious.  Thanks very much for pointing me in the right direction,

--Jacob

I think you should use md5 on the password..

 

$_SESSION['password'] = md5($password); and have the password in the database as md5 too (ofcourse or it wont match)

 

And make a limit to how many times the same user can login in some time period like:

 

session_start();
if (isset(SESSION['logins']) &&  (SESSION['logins']) < 5) {
echo 'too many login attempts';
exit;
}

if ($password == false) {
SESSION['login']--; //is that right?
echo 'wrong password';
}

 

or err something like that^^ lol it stops people guessing the password to many times

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.