Hi guys.

I am seriously confused with this issue. I've set up some pages to ban, unban and approve a user. On localhost, it works fine. I can ban them and their record is updated to show that. I can unban them and again, it's updated. I can also approve and all is fine.

However, when I uploaded this to a website I'm having a big problem. When I try and approve a user, or unban them - it changes their banned/approved state and then logs me in as them! And when I try and ban them, it just logs me out.

Here is the code I have (I'll show you the banned pages, as they're all basically the same):

ban.php

<?php
include 'core/init.php';
protect_page();
not_admin_redirect();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Liste - </title>
<link rel="stylesheet" type="text/css" href="css/main.css" />
</head>

<body style="background-image: url(http://i.imgur.com/Wim7Rj9.png);">

   <!-- Begin Wrapper -->
   <div id="wrapper">

         <!-- Begin Header -->
         <div id="header">

               <center><a href="liste.php"><img src="http://forum.defensedpt.com/Themes/Fresh/images/theme/logo.png"></a></center>


         </div>
         <!-- End Header -->

         <!-- Begin Left Column -->
         <div id="leftcolumn">
            <?php
                $result = mysql_query("SELECT `user_id`, `username` FROM `users` WHERE `approved`=1 AND `banned`=0 ORDER BY `username`");

                echo "<center><table>";
                    while($row = mysql_fetch_array($result)) {
                        echo "<tr><td align=center><font color=\"white\">" . htmlspecialchars($row['username']) . "</font></td><td><font color=\"white\"> | </font></td><td><a href=\"ban_user.php?user_id=" . $row['user_id'] . "\"><font color=\"white\">Ban</font></a></td>";
                    }
                    echo "</table></center>";
            ?>
            <br><center><a href="liste.php">Go back</a></center>
         </div>
         <!-- End Left Column -->

         <!-- Begin Right Column -->
         <div id="rightcolumn">

                 <center>
                    <?php 
                        include 'loggedin.php';
                        include 'habbo_image.php';
                    ?>

                    <hr>
                    <a href="logout.php"><font size="3">Logout</font></a>
                    <br />
                    <a href="changepassword.php"><font size="3">Change Password</font></a>
                    <hr>
                    <br />
                    <hr>
                    <a href="liste.php">E-3+ (OPNAV)</a>
                    <hr>
                    <a href="dd.php">Dishonorable Discharge</a>
                    <hr>
                    <a href="hd.php">Honorable Discharge</a>
                    <hr>
                    <a href="deserter.php">Deserter</a>
                    <hr>
                    <br />
                    <?php
                    if ($user_data['permissions'] == 2) {
                    echo '
                    <hr>
                    <a href="approve.php">Approve Users</a>
                    <hr>
                    <a href="ban.php">Ban Users</a>
                    <hr>
                    <a href="unban.php">Unban Users</a>
                    <hr>';
                    } else {
                    echo ''; }?>
                    </center>
         </div>
         <!-- End Right Column -->

         <!-- Begin Footer -->
         <div id="footer">

               <center>DefenseDpt.com &copy All rights reserved</center>  

         </div>
         <!-- End Footer -->

   </div>
   <!-- End Wrapper -->

</body>
</html>

ban_user.php

<?php
include 'core/init.php';
protect_page();
not_admin_redirect();
$user_id = $_GET['user_id']; 
mysql_query("UPDATE `users` SET `banned`= 1 WHERE `user_id` = $user_id");  
header('Location: liste.php'); 
?>

Thanks guys. If you need me to explain what a function is or does, or anything like that, please ask. I wasn't really sure what you guys needed, short of providing all 41 of my files.

Oh - and when someone logs in a $_SESSION is set with their user id, and when someone logs out that $_SESSION is destroyed.

Thanks guys!

Member Avatar for diafol

OK, coupla things:

1) Try to separate the HTML and the PHP - this is a bit of a headache to try and sift through.
2) WRT HTML - you're using deprecated tags à la 1990s.

I can't really see any problem here other than have you got a session_start in every page (is it in init.php?).

Yeah, session_start() is in init.php

Not this this will fix your issue, but you should definately consider using a document type declaration just above the <html> opening tag. Without it, you are surely going to run into quirky issues since IE will go into quirks mode without a proper doctype.

Just start getting use to HTML5... it will require you to stop using some of the deprecated tags you have listed above, but it doesnt require you to use HTML5 elements.

<!DOCTYPE html>
<html>
...

sorry for a response that isnt related to the question, but again...you will come accross cross-browser compatibility issues eventually if you havent already.

I uploaded it all to a different host and it works fine. Does anyone know what could be preventing this at HostGator?

Member Avatar for diafol

Does anyone know what could be preventing this at HostGator?

Beats me.

I understand this post is solved with the new host, but there are some security concerns with your code that you should take care of.

<?php
include 'core/init.php';
protect_page();
not_admin_redirect();
$user_id = $_GET['user_id']; 
mysql_query("UPDATE `users` SET `banned`= 1 WHERE `user_id` = $user_id");  
header('Location: liste.php'); 
?>

The mysql query has the parameter $user_id which is not 'sanitized' before adding to the query.

Whenever you make an sql query, make sure you validate the datatype. The $user_id is probably an interger so you need to use $user_id = intval($_GET['user_id']);

If your variable is a string, then make sure you use mysql_real_escape_string($_GET['user_id']);

As your code is now, someone could do:

ban_user.php?user_id=(some sub sql query here)

That would execute another sql query of choice of the attacker.

The code also has a CSRF vulnerability.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.