Security problem, php and sessions

Question

whiteyoh 0 Posting Pro in Training

14 Years Ago

Hi all,

My code lists items based on the logged in users id. when listed these items have an edit function.

When the use clicks edit, the url holds the id for that item.

My problem is that its possible to change the url to show details of something thats not theirs

all have a unique id(pk), and owner id(fk).

I want some session security to check thats the owner id is the same as the user id, and if not say access denied. My include looks like this but doesnt work.

i know im close, just cant see the wood for the trees

<?php
session_start();
echo "i am propsec.php" . "<br>";
$emailsec = $_SESSION['user_email'];
$idsec = $_SESSION['user_id'];
$host="localhost"; // Host name
$username="un"; // Mysql username
$password="pw"; // Mysql password
$db_name="db"; // Database name


// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");


$sql="SELECT owner_id FROM tbl_sellers";

//$_SESSION['user_type'] = $user_type;
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

$propsec = $row['owner_id'];
echo $idsec;
echo $propsec;
if ($idsec != $propsec) {
	echo "NOT allowed" . "<br>";
}else {
	echo "Allowed" . "<br>";
}
// If result matched $myusername and $mypassword, table row must be 1 row
//if (!$checkemail = $emailsec) { 
//	echo "You are not authorised to view this record/page.  Very naughty of you";
//}else{
//	exit();

?>

php

2 Contributors
6 Replies
162 Views
8 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by whiteyoh

cwarn23 387 Occupation: Genius

14 Years Ago

Your sql string, shouldn't it be modified with a WHERE clause so it only matches one row?

$sql="SELECT owner_id FROM tbl_sellers";

cwarn23 387 Occupation: Genius

14 Years Ago

But isn't that what the if statement is for. I mean doesn't the if statement prevent other users seeing things they shouldn't? For example.

<?php
session_start();
echo "i am propsec.php" . "<br>";
$emailsec = $_SESSION['user_email'];
$idsec = $_SESSION['user_id'];
$host="localhost"; // Host name
$username="un"; // Mysql username
$password="pw"; // Mysql password
$db_name="db"; // Database name


// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$_GET['id']=mysql_real_escape_string((int) $_GET['id']);
$sql="SELECT owner_id FROM tbl_sellers WHERE id=".$_GET['id'];

//$_SESSION['user_type'] = $user_type;
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

$propsec = $row['owner_id'];
echo $idsec;
echo $propsec;
if ($idsec != $propsec) {
	echo "NOT allowed" . "<br>";
}else {
	echo "Allowed" . "<br>";
}
// If result matched $myusername and $mypassword, table row must be 1 row
//if (!$checkemail = $emailsec) { 
//	echo "You are not authorised to view this record/page.  Very naughty of you";
//}else{
//	exit();

?>

...
the url shows http://URL/edit.php?id=20
the id is taken and that shows the details. say id 20 to 23 are mine, i can change it to 24 and see something thats not mine

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

whiteyoh 0 Posting Pro in Training · Answer 1 · 2010-02-07T18:01:24+00:00

well thats what i had originally, but the issue lies with........

the url shows http://URL/edit.php?id=20

the id is taken and that shows the details. say id 20 to 23 are mine, i can change it to 24 and see something thats not mine

whiteyoh 0 Posting Pro in Training · Answer 2 · 2010-02-07T18:16:38+00:00

you right, but i cant see why its not. ive included the related files below.....

And thanks for your help too

(1)login_success.php - correct info recieved so display things relating to those credentials.
(2) getlist.php (the include from the switch statement)
(3) edit.php

<?php 

session_start();
	$_SESSION['user_email'];
	$email = $_SESSION['user_email'];
$host="localhost"; // Host name
$username="un"; // Mysql username
$password="pw"; // Mysql password
$db_name=""; // Database name
$tbl_name="tbl_user"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT * FROM tbl_user WHERE user_email= '$email'";

$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$_SESSION['user_id'] = $row[0];
$_SESSION['user_type'] = $row[1]; 

switch ($_SESSION['user_type']){
	case "pri":
		//header("location:reg/pri/index.php");
		include "getlist.php";
		break;
	case "dev":
		echo "hello you are a dev";
		break;	
	case "pea":
		echo "you are a pea";
		break;	
	case "est":
		echo "you are an est";
		break;	
}

?>

<?php

session_start();
$owner_id = $_SESSION['user_id'];

$host="localhost"; // Host name
$username="un"; // Mysql username
$password="pw"; // Mysql password
$db_name="dn"; // Database name
$tbl_name="tbl_sellers"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$query="SELECT * FROM $tbl_name WHERE owner_id ='$owner_id'";

$results = mysql_query($query);
echo "<table>";
echo "<tr><td>" . "Your propery listing(s) are as follows" . "</td></tr>";
echo "<tr><td>" . "</td></tr>";
echo "<tr><td>" . "Address Line 1" . "</td>" . "<td>" . "Post / Zip Code" . "</td>" . "<td>" .   "Property Value" . "</td></tr>";
while($row = mysql_fetch_array($results))
 {
	
     echo "<tr><td>" . $row['propertyaddress'] . "</td>"  . "<td>" . $row['proppostzip'] . "</td>" . "<td>" . $row['value'] . "</td><td>" . "<a href=\"edit.php?id=" . $row['ID'] . "\"/>edit</a>" . "</tr>";
	 
}

echo "</table>";
?>

<?php
session_start();
$prop_id =  $_GET['id'];
echo "property id:" . $prop_id . "<br>";
echo "logged in owner id:" . $_SESSION['user_id'];
$_SESSION['ID'] = $prop_id;
$host="localhost"; // Host name
$username="un"; // Mysql username
$password="pw"; // Mysql password
$db_name="db"; // Database name
$tbl_name="tbl_sellers"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$query="SELECT owner_id FROM tbl_sellers WHERE ID ='$prop_id'";
$results = mysql_query($query);
while($row = mysql_fetch_array($results))
 {
$propertyaddress = $row['propertyaddress'];
$propadd2 = $row['propadd2'];
$proptown = $row['proptown'];
$propstatecounty = $row['propstatecounty'];
$proppostzip = $row['proppostzip'];
$propcountry = $row['propcountry'];
$propbedrooms = $row['propbedrooms'];
$propbathrooms = $row['propbathrooms'];
$propgarage = $row['propgarage'];
$eighteenplus = $row['eighteenplus'];
$value = $row['value'];
	
}
?>

<form name="fa" action="processprop.php" onsubmit="return validate_form(this);" method="post">
<table>
<tr>
<td><strong>Select a property type:</strong></td>
<td><select name="propertytype">
<option value=" "> </option>
<option value="House">House</option>
<option value="Bungalow">Bungalow</option>
<option value="villa">villa</option>
<option value="Detached">Detached</option>
<option value="Semi-Detached">Semi-detached</option>
<option value="Quad">Quad</option>
<option value="Terraced">Terraced</option>
<option value="Condominium">Condominium</option>
<option value="Apartment">Apartment</option>
<option value="Flat/Maisonette">Flat/Maisonette</option>
<option value="Ranch">Ranch</option>
<option value="Colonial">Colonial</option>
<option value="Other">Other</option>
</select></tr></td>
<tr><td><b>Property Address: </b> </td><td><input type="text" value="<?php echo $propertyaddress?>" name="propertyaddress" size=15></td></tr>
<tr><td><b>Address line 2: </b> </td><td><input type="text" value="<?php echo  $propadd2 ?>" name="propadd2" size=30></td></tr>
<tr><td><b>Town:</b> </td><td><input type="text" value="<?php echo  $proptown ?>" name="proptown" size=30></td></tr>
<tr><td><b>County: </b> </td><td><input type="text" value="<?php echo  $propstatecounty ?>" name="propstatecounty" size=15></td></tr>
<tr><td><b>Post Code:</b> </td><td><input type="text" value="<?php echo $proppostzip ?>" name="proppostzip" size=15></td></tr>
<tr><td><b>Country:</b> </td><td><input type="text" value="<?php echo  $propcountry ?>" name="propcountry" size=15></td></tr>
<tr><td><b>Number of bedrooms:</b> </td><td><input type="num" value="<?php echo $propbedrooms ?>" name="propbedrooms" size=15></td></tr>
<tr><td><b>Number of bathrooms:</b> </td><td><input type="num" value="<?php echo  $propbathrooms ?>" name="propbathrooms" size=15></td></tr>
<tr>
<td><strong>Does your property have a garage?:</strong></td>
<td><p>
  <select name="propgarage">
    <option value=" "> </option>
    <option value="Yes">Yes</option>
    <option value="No">No</option>
  </select>
</td></tr>
<tr>
<td><strong>Are you aged 18yrs or OVER:</strong></td>
<td>
  <select name="18yearsorover">
    <option value=" "> </option>
    <option value="Yes">Yes</option>
    <option value="No">No</option>
  </select>
</td></tr>

<tr><td></td><td><input type="submit" value="submit"></td></tr>
</table>
</form>

cwarn23 387 Occupation: Genius Team Colleague Featured Poster · Answer 3 · 2010-02-07T18:28:56+00:00

Were any of those three files meant to have the access denied/granted if statement because I noticed you didn't use the if statement on any of those files. I would suggest following the example if statement in my previous post and embed it where necessary and just to make it easier below is the if statement I am talking about.

if ($idsec != $propsec) {
	echo "NOT allowed" . "<br>";
}else {
	echo "Allowed" . "<br>";
}

I will be signing off now but will be back sometime tomorrow as it is getting late where I am. So following the above example is the answer but as I am unfamiliar with your design I'm not sure where exactly to place these if statements.

whiteyoh 0 Posting Pro in Training · Answer 4 · 2010-02-07T19:48:59+00:00

Hi Cwarn23,

I got the problem fixed. the security worked perfect, its was what i was asking it to do. I was getting it to compare the user id with the registered owner (which was the same).

I moved the variables around to compare the user id with the owner id

if ($row['owner_id'] != $_SESSION['user_id']){
	echo "<h1>" . "ACCESS DENIED - YOU DO NOT HAVE SUFFICIENT PRIVELIDGES TO VIEW THIS RECORD" . "</h1>";
	exit();

thanks for your help :-)