473,700 Members | 2,649 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Whats wrong with this security script?

This script is meant to limit access by sessions, using username and
password from mysql db and redirect users after login according to a
given value belonging to each user in the db (10,20,30,40).

(the included config is just server settings, the login is just a
login form).

The script appear to connect but will not redirect users, it seems
that even with correct login details, it won't validate.

this code is in top of each protected page granting access to users
with user level 10:
<?php $allow = array (10);include ("../protect/protect.php"); ?>
THE SCRIPT (protect.php):

<?php

session_start ();

// --------------------------------THE
VARIABLES---------------------------------- //

@include ("config.php ");

// ----------------------------------THE CODE
------------------------------------ //

function clearance ($user_value, $pass_value, $level_value,
$userlevel_valu e, $table_value, $column1, $column2, $path) { //
Function to see if user can login

$check = mysql_query ("SELECT $userlevel_valu e FROM $table_value
WHERE username='$user _value' AND password='$pass _value'"); // Query to
see if user exists

$verify = mysql_num_rows ($check);

$get = mysql_fetch_arr ay ($check);

if (count ($level_value) != 0) { // If the allow array contains
userlevels

if (in_array ($get[$userlevel_valu e], $level_value) && $verify 0)
{ // Search allow to see if userlevels match

$_SESSION['username'] = $user_value; // Register sessions
$_SESSION['password'] = $pass_value; // password
$_SESSION['userlevel'] = $get[$userlevel_valu e];

}
//redirect users according to user level
if ($verify 0); {
$row = mysql_fetch_arr ay($check);
}

switch($row['userlevel_valu e']) {
case '10':
header("locatio n:/hidden/folder1/index.php");
break;
case '20':
header("locatio n:/hidden/folder2/index.php");
break;
case '30':
header("locatio n:/hidden/folder3/index.php");
break;
case '40':
header("locatio n:/hidden/folder4/index.php");
break;
default:
printf("Invalid username and password<br>\n" );
}
//end redirect

} else {

if ($verify == 0) { // If attempt fails then redirect to login page

$_SESSION = array();

$error = "Sorry, invalig login";

@include ("login.php" );

exit;

}

if ($verify 0) { // If attempt is good then register the user

$_SESSION['username'] = $user_value;
$_SESSION['password'] = $pass_value;

}

}

}

function protect ($level_value, $password_value , $userlevel_valu e,
$table_value, $column1, $path) { // Function to keep pages secure

if (!isset ($_SESSION['username'])) { // If session doesn't exist
then get user to login

if (isset ($_POST['username']) && isset ($_POST['password'])) {

$error = "Sorry, username or password doesnt fit";

}

$_SESSION = array();

@include ("login.php" );

exit;

} else { // If user is logged in check to see if session is valid and
that they have the required userlevel

$check = mysql_query ("SELECT $password_value , $userlevel_valu e FROM
$table_value WHERE $column1='$_SES SION[username]'"); // Query to see
if user exists

$verify = mysql_num_rows ($check);

$get = mysql_fetch_arr ay ($check);

if ($verify == 0) {

$_SESSION = array();

$error = "Something wrong with your login";

@include ("login.php" );

exit;

}

if ($verify 0 && count ($level_value) != 0) {

if (!in_array ($get[$userlevel_valu e], $level_value)) { // Check to
see if the users userlevel allows them to view the page

$error = "Sorry, no access";

@include ("login.php" );

exit; // Ensure no other data is sent

}

}

}

}

if (isset ($_POST['username']) && isset ($_POST['password'])) { // If
user submits login information then validate it

clearance ($_POST['username'], $_POST['password'], $allow,
$userlevel, $table, $username, $password, $path);

}

protect ($allow, $password, $userlevel, $table, $username, $path);

mysql_close ($link); // Close the database connection for security
reasons

// -----------------------------------THE END
------------------------------------ //

?>

Mar 28 '07 #1
2 1927
Nosferatum wrote:
This script is meant to limit access by sessions, using username and
password from mysql db and redirect users after login according to a
given value belonging to each user in the db (10,20,30,40).

(the included config is just server settings, the login is just a
login form).

The script appear to connect but will not redirect users, it seems
that even with correct login details, it won't validate.

this code is in top of each protected page granting access to users
with user level 10:
<?php $allow = array (10);include ("../protect/protect.php"); ?>
THE SCRIPT (protect.php):

<?php

session_start ();

// --------------------------------THE
VARIABLES---------------------------------- //

@include ("config.php ");

// ----------------------------------THE CODE
------------------------------------ //

function clearance ($user_value, $pass_value, $level_value,
$userlevel_valu e, $table_value, $column1, $column2, $path) { //
Function to see if user can login

$check = mysql_query ("SELECT $userlevel_valu e FROM $table_value
WHERE username='$user _value' AND password='$pass _value'"); // Query to
see if user exists
You should check to see if $check contains a result set or false (the
latter indicating an error).
$verify = mysql_num_rows ($check);

$get = mysql_fetch_arr ay ($check);
Don't try to fetch the array unless the return from mysql_query() is a
result set and mysql_num_rows is 0.
if (count ($level_value) != 0) { // If the allow array contains
userlevels

if (in_array ($get[$userlevel_valu e], $level_value) && $verify 0)
{ // Search allow to see if userlevels match

$_SESSION['username'] = $user_value; // Register sessions
$_SESSION['password'] = $pass_value; // password
$_SESSION['userlevel'] = $get[$userlevel_valu e];

}
//redirect users according to user level
if ($verify 0); {
$row = mysql_fetch_arr ay($check);
You just fetched the array up above. This will attempt to get the
second row in the result set. is this what you want?
}

switch($row['userlevel_valu e']) {
case '10':
header("locatio n:/hidden/folder1/index.php");
break;
case '20':
header("locatio n:/hidden/folder2/index.php");
break;
case '30':
header("locatio n:/hidden/folder3/index.php");
break;
case '40':
header("locatio n:/hidden/folder4/index.php");
break;
default:
printf("Invalid username and password<br>\n" );
}
//end redirect

} else {

if ($verify == 0) { // If attempt fails then redirect to login page

$_SESSION = array();

$error = "Sorry, invalig login";

@include ("login.php" );

exit;

}

if ($verify 0) { // If attempt is good then register the user

$_SESSION['username'] = $user_value;
$_SESSION['password'] = $pass_value;

}

}

}

function protect ($level_value, $password_value , $userlevel_valu e,
$table_value, $column1, $path) { // Function to keep pages secure

if (!isset ($_SESSION['username'])) { // If session doesn't exist
then get user to login

if (isset ($_POST['username']) && isset ($_POST['password'])) {

$error = "Sorry, username or password doesnt fit";

}

$_SESSION = array();
$_SESSION is already an array - which you just wiped out. Don't do
this. Unset the appropriate array values if necessary.
@include ("login.php" );
Why are you including this twice? Make it a function and include it
once at the top. Then call that function if necessary.
exit;

} else { // If user is logged in check to see if session is valid and
that they have the required userlevel

$check = mysql_query ("SELECT $password_value , $userlevel_valu e FROM
$table_value WHERE $column1='$_SES SION[username]'"); // Query to see
if user exists

$verify = mysql_num_rows ($check);

$get = mysql_fetch_arr ay ($check);

if ($verify == 0) {

$_SESSION = array();
Again, don't try to set $_SESSION to an array.
$error = "Something wrong with your login";

@include ("login.php" );
And a third time?
exit;

}

if ($verify 0 && count ($level_value) != 0) {

if (!in_array ($get[$userlevel_valu e], $level_value)) { // Check to
see if the users userlevel allows them to view the page

$error = "Sorry, no access";

@include ("login.php" );

FOUR times?
exit; // Ensure no other data is sent
>
}

}

}

}

if (isset ($_POST['username']) && isset ($_POST['password'])) { // If
user submits login information then validate it

clearance ($_POST['username'], $_POST['password'], $allow,
$userlevel, $table, $username, $password, $path);

}

protect ($allow, $password, $userlevel, $table, $username, $path);

mysql_close ($link); // Close the database connection for security
reasons

// -----------------------------------THE END
------------------------------------ //

?>
Just what I saw from a quick glance. There may be more.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Mar 28 '07 #2
On 28 Mar, 16:40, "Nosferatum " <John.Ola...@gm ail.comwrote:
This script is meant to limit access by sessions, using username and
password from mysql db and redirect users after login according to a
given value belonging to each user in the db (10,20,30,40).

(the included config is just server settings, the login is just a
login form).

The script appear to connect but will not redirect users, it seems
that even with correct login details, it won't validate.

this code is in top of each protected page granting access to users
with user level 10:
<?php $allow = array (10);include ("../protect/protect.php"); ?>

THE SCRIPT (protect.php):

<?php

session_start ();

// --------------------------------THE
VARIABLES---------------------------------- //

@include ("config.php ");

// ----------------------------------THE CODE
------------------------------------ //

function clearance ($user_value, $pass_value, $level_value,
$userlevel_valu e, $table_value, $column1, $column2, $path) { //
Function to see if user can login

$check = mysql_query ("SELECT $userlevel_valu e FROM $table_value
WHERE username='$user _value' AND password='$pass _value'"); // Query to
see if user exists

$verify = mysql_num_rows ($check);

$get = mysql_fetch_arr ay ($check);

if (count ($level_value) != 0) { // If the allow array contains
userlevels

if (in_array ($get[$userlevel_valu e], $level_value) && $verify 0)
{ // Search allow to see if userlevels match

$_SESSION['username'] = $user_value; // Register sessions
$_SESSION['password'] = $pass_value; // password
$_SESSION['userlevel'] = $get[$userlevel_valu e];

}
//redirect users according to user level
if ($verify 0); {
$row = mysql_fetch_arr ay($check);
}

switch($row['userlevel_valu e']) {
case '10':
header("locatio n:/hidden/folder1/index.php");
break;
case '20':
header("locatio n:/hidden/folder2/index.php");
break;
case '30':
header("locatio n:/hidden/folder3/index.php");
break;
case '40':
header("locatio n:/hidden/folder4/index.php");
break;
default:
printf("Invalid username and password<br>\n" );
}
//end redirect

} else {

if ($verify == 0) { // If attempt fails then redirect to login page

$_SESSION = array();

$error = "Sorry, invalig login";

@include ("login.php" );

exit;

}

if ($verify 0) { // If attempt is good then register the user

$_SESSION['username'] = $user_value;
$_SESSION['password'] = $pass_value;

}

}

}

function protect ($level_value, $password_value , $userlevel_valu e,
$table_value, $column1, $path) { // Function to keep pages secure

if (!isset ($_SESSION['username'])) { // If session doesn't exist
then get user to login

if (isset ($_POST['username']) && isset ($_POST['password'])) {

$error = "Sorry, username or password doesnt fit";

}

$_SESSION = array();

@include ("login.php" );

exit;

} else { // If user is logged in check to see if session is valid and
that they have the required userlevel

$check = mysql_query ("SELECT $password_value , $userlevel_valu e FROM
$table_value WHERE $column1='$_SES SION[username]'"); // Query to see
if user exists

$verify = mysql_num_rows ($check);

$get = mysql_fetch_arr ay ($check);

if ($verify == 0) {

$_SESSION = array();

$error = "Something wrong with your login";

@include ("login.php" );

exit;

}

if ($verify 0 && count ($level_value) != 0) {

if (!in_array ($get[$userlevel_valu e], $level_value)) { // Check to
see if the users userlevel allows them to view the page

$error = "Sorry, no access";

@include ("login.php" );

exit; // Ensure no other data is sent

}

}

}

}

if (isset ($_POST['username']) && isset ($_POST['password'])) { // If
user submits login information then validate it

clearance ($_POST['username'], $_POST['password'], $allow,
$userlevel, $table, $username, $password, $path);

}

protect ($allow, $password, $userlevel, $table, $username, $path);

mysql_close ($link); // Close the database connection for security
reasons

// -----------------------------------THE END
------------------------------------ //

?>
It's just a bit confused right now, with $userlevel_valu e,
$level_value, $get['userlevel_valu e'] and $userlevel - I might have
forgotten one or made one up.

Try sticking to a convention, eg. I would have $arrAllowedLeve ls for
$level_value.
I'm sure you get bored of passing so many things to each function, if
you can logically group the variables passed in it would be easier to
keep track of, can you either use an array of "query details"
$arrQuery =
array('columns_ selected'=>arra y('username','p assword'),'tabl e_name'=>'my_ta ble');
or table details, or just form the query outside and pass it in as a
string, wrapping the logic inside 2 functions when you are including a
file called protect.php seems uneeded for this purpose. You could
start by writing the whole lot as a nice clean script, and think about
wrapping it up later. It might help you get the logic straight.

because of the way you have coded the clearance() query, at the moment
it allows anyone to authenticate without a correct username or
password, and then for this to persist inside the session, allowing
unrestricted access (and other nasties). Remember to use
$var=mysql_real _escape_string( (string)$var[,$link]) before you pass a
value into a query, see the manual for more (I am assuming that config
handles the db link as well)

a couple of other points.
what is $level_value, it seems to be an array and the logic suggests
that you want to use it as "if the user has [at least?] this level,
then let them in" - but what if your users have a greater level than
this? You will have to add each level into the array to allow them
access too.
Why could you not use an integer called $intMinClearanc eLevel, if the
user's level is at least equal to it, they can pass, this is a minor
change but simplifies your logic and the need to add each level into
the array.
Call exit() after a call to header( 'Location: ' . $strAbsoluteUri );
and use the absolute uri, although browsers tend to do well, it could
be ambiguous in certain circumstances (probably more so for the coder
than the browser!)
If you do want to "be efficient" and only include files if and when
they are needed - which as Jerry points out - can make for over
inclusion, use include_once so that php will not include multiple
times!
Don't be disheartened though, it will all come together

Mar 29 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
1859
by: iz0nlee | last post by:
can anybody tell me what is wrong here, I got this shockwave test from javascript in easy steps but it doesnt open the pages required <html> <head> <script type = "text/javascript"> if ( (navigator.appName == "Microsoft Internet Explorer" && navigator.appVersion.IndexOf ( "Mac" ) == -1 && navigator.appVersion.IndexOf ( "3.1" ) == -1) || navigator.plugins && navigator.plugins )
6
23511
by: Andy Wawa | last post by:
Hi, on a simple HTML (not an ASP!)-Site I try to connect to a sql server (MS): <html> <title>Test</title> <head> <script language="javascript"> <!-- Function showForm(){
3
2390
by: Chris Geerdink | last post by:
combo with PHP. what is wrong with the Javascript? else { include("mysql.php"); $query1 = mysql_query("INSERT INTO gbook (naam, email, text) VALUES ('".$_POST."', '".$_POST."', '".$_POST."')"); ?> <script language="JavaScript"> <!--
62
3740
by: TheShadow1 | last post by:
safetyTips - this array is in here.js ...
5
1982
by: Alexandre Martins | last post by:
Provider=Microsoft.Jet.OLEDB.4.0;UserId=Admin;Password=teste;Data Source=C:\Inetpub\wwwroot\inktoner\dados\db_inktoner.mdb;Persist Security Info=True I can't connect in my database ! whats wrong ?? tks
2
1218
by: Paul | last post by:
Hi I have some code and java script, when the page initially loads I want it to have focus on dr_tx_names. This works. The page loads a second time with a dropdown selection and in the code behind I have Me.dr_lst_systype.Attributes.Add("onFocus", "javascript:DoHighlight()") as I want the focus to go to dropdown box dr_lst_systype when the page reloads after a selection is made from dr_lst_systype. Anyhow it seems everytime the page...
3
1755
by: Vaidas Gudas | last post by:
I has web project on virtual pc, maked with framework 2.0. there I was used the method role.roleexists("admin") and everything was worked good. but when i replace this project on my local machine, where is installed both versions 1.1 and 2.0 of framework. And on the this method I am getting the error System.Web.HttpException was unhandled by user code ErrorCode=-2147467259 Message="Unable to connect to SQL Server database."...
1
1937
by: Varun Gupta | last post by:
PATH="/clocal/mqbrkrs/user/mqsiadm/sanjay/" MAIL_RECIPIENTS="rb903@dcx.com" Subject="File accessed in last minutes:" find "$PATH" -type f -amin -1 > temp.txt.$$ cat temp.txt.$$ | \ while read line do fuser -uV $line >> tempmail.txt done
5
1715
by: hiqu | last post by:
This issue is driving me nuts and not able to figure out whats wrong. I've this code in my firefox extension. Firefox always hangs and reports the script is busy. if I introduce a break statement in the for(;;) loop below, then no issue. Any help would be appreciated! function getStuff()
0
8725
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8644
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9074
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8924
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7807
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6560
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4403
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
2392
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2027
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.