It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
So basically, few days ago one of my website clients, came to me, and told me that their database and website has been hacked (hackers somehow stole the md5 hashed password from database), logged in admin panel, and changed data. Well yeah, I created that page 1 and a half year ago, so I didn't know any better hash or salts then. Anyway, how do they hack the database? Well basically, is there any protection against that, or are they using any type of JavaScript codes, that I shouldn't allow to load, or what else?
Hope you can help me about this question, so I could create more protected websites.
This was the previous login code for that site. Added per request -
public function loginUser($username, $password) {
if(isset($_POST['login'])) {
if($username != '' && $password != '') {
$sql = "SELECT * FROM `users` WHERE `username` = '".$username."' AND `password` = '".$password."'";
$q = mysql_query($sql);
$row = mysql_fetch_array($q);
if(mysql_num_rows($q) > 0) {
if($row['level'] == 'admin') {
$_SESSION['user_level'] = 'admin';
}
else {
$_SESSION['user_level'] = 'normal';
}
$_SESSION['logged_in'] = 1;
header('location: account.php');
}
else {
header('location: error2.php');
// Return to page and show error
}
}
else {
header('location: error1.php');
// Show error, when people have empty fields entered
}
}
It's impossible to say definitely without much more information, but the most likely case is that your appplication was vulnerable to SQL injection, which enabled the attacker to get the site to display the contents of the database. Another possibility is that a directory traversal attack allowed them to download the DB files directly.
Since MD5 is by now completely broken (whether you use salt or not hardly matters anymore with MD5), the rest was simple.
You should read about SQL Injection (maybe that's how they got the information in your database).
Then you should take a look at XSS.
The first thing you have to do is to validate every piece of input, EVERYTHING!
Against SQLi you should use prepared statements.
And against XSS you should encode everything!
But, hey, no worries, you could have googled all this!
Related
I am adding some server-side form validations (using php) in case one of the users of my site has javascript turned off. On one form, there are 10 separate input fields that can be changed. Could someone please tell me which protocol will use less system resources? In the first, I write some mySQL variables to check the user's current settings, and compare these with the posted settings. If all 10 posted values are identical to the current values, don't UPDATE database, else UPDATE the database:
$login_id = $_SESSION['login_id'];
$sql1 = mysql_fetch_assoc(mysql_query("SELECT value1 FROM login WHERE login_id =
'$login_id'"));
$sql1a = $sql1['value1'];
// Eight More, then
$sql10 = mysql_fetch_assoc(mysql_query("SELECT value10 FROM login WHERE login_id =
'$login_id'"));
$sql10a = $sql10['value10'];
$Value1 = $_POST['Value1'];
// Eight More, then
$Value10 = $_POST['Value10'];
//Other validations then the following
if (($sql1a == $Value1)&&($sql2a == $Value2)&&.......($sql10a == $Value10)) {
echo "<script>
alert ('You haven't made any changes to your profile');
location = 'currentpage.php';
</script>";
}
else {
$sqlUpdate = mysql_query("UPDATE login SET value1 = '$Value1',....value10 = '$Value10'
WHERE login_id = '$login_id'");
echo "<script>
alert ('Your profile has been updated!');
location = 'currentpage.php';
</script>";
}//End php
OR is it less expensive to just use the user-posted values (keep the $_POST variables) and avoid checking with the comparison line: (($sql1a == $Value1)&&($sql2a == $Value2)&&.......($sql10a == $Value10)) and just go right to
//Other validations then the following
$sqlUpdate = mysql_query("UPDATE login SET value1 = '$Value1',....value10 = '$Value10'
WHERE login_id = '$login_id'");
echo "<script>
alert ('Your profile has been updated!');
location = 'currentpage.php';
</script>";
Thanks for any input on this!
If I understand correctly, your question is whether it's OK for performance to check the profile for modifications. For me, after I've checked your code, this is about much more than just performance...
Let's start with the performance: AFAIK MySQL queries are slower than basic PHP comparisions, that's true - but on this scale, I really don't think it matters much. We're talking about two very basic queries which won't handle a lot of data.
Let's think about what the end user will see (UX): in the second scenario, the user will not have the most exact feedback telling him/her that no modification has been done. On a profile modification screen, I suppose that might not be intentional, so I would tell that we haven't modified anything. (Also, performing an unnecessary UPDATE query is not the most elegant.)
#aehiilrs is right, please pay attention to that comment. This style of MySQL usage is particularly bad for security - if you keep going with this, you will create a lot of security holes in your PHP code. And those are really easy to discover and exploit, so please, have a good look on the alternatives, starting with PDO as mentioned. Any good PHP book out there will show you the way. You can also have a look at a great Q/A here on StackOverflow: How can I prevent SQL injection in PHP?
I wonder whether it's a good idea to try to update the user interface like you did - I would strongly prefer loading another PHP without any <script> magic in the output. In the result PHP, you can always display something like a CSS-styled statusbar for displaying info like that.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I have a page count to limit the number of times a logged out user can view profiles. If a user is logged out they are redirected to a sign-up page, this is right and should be what's happening but i'm getting the same thing happen when the user is logged in, how can i add an else statement or if statement to say only redirect to sign up page or only limit profile hits if not logged in?
Thanks
<?
!session_id() ? session_start() : null;
verify_profile_visit_limit();
function verify_profile_visit_limit(){
$free_profiles = array(99999,99998,99997,99996,99995,99994,99993);
if(in_array($_GET["id"], $free_profiles)) return;
if(! isset($_SESSION["page_access_count"])){
$_SESSION["page_access_count"] = 1;
}
$_SESSION["page_access_count"]++;
if($_SESSION["page_access_count"] > 5){
header("Location: limit.php");
exit();
}
}
?>
Just add an OR condition so you return if the user is logged in:
if(in_array($_GET["id"], $free_profiles) || isset($_SESSION['loggedIn']) && $_SESSION['loggedIn']) return;
With that your function will return before running the limit check. Assuming you store a boolean (true/false) in $_SESSION['loggedIn'].
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I'm Using phpfox with userplane webchat and this function is to grab sessionGuid from the database Original function is:
Function 1:
function get_current_online_session_login() {
$oSrvSec = &App::getModuleService('Account', 'Security');
$login = $oSrvSec->getCurrentUserLogin();
$aReq = getRow(App::getT('online_session'), 'online_session_user = "' . $login . '"');
// return $aReq['online_session_login'];
return $aReq['online_session_id'];
}
And i make change's in it so it return the salted hash but Chat is not working and show error that you are not authorized to enter in chat.
Here is what i make change in this code:
function get_current_online_session_login() {
$oSrvSec = &App::getModuleService('Account', 'Security');
$login = $oSrvSec->getCurrentUserLogin();
$aReq = getRow(App::getT('online_session'), 'online_session_user = "' . $login . '"');
$salt='waka_waka_shaka_laka_8342394';
// return $aReq['online_session_login'];
$umSar = $aReq['online_session_id'];
$saltedHash = md5($umSar . $salt);
return $saltedHash;
}
in this file have 2 function for session_id so i am not sure how to resolve this issue
here is the 2nd session_id function:
Function 2
function get_user_with_session_id($session_id) {
$session = getRow(App::getT('online_session'), "online_session_id = '$session_id'");
// $session = getRow(App::getT('online_session'), "online_session_login = '$session_id'");
$oSecurityService = &App::getModuleService('Account', 'Security');
$user = $oSecurityService->getUserByName($session['online_session_user']);
return isset($user) ? $user->aData['id'] : null;
}
Please i need help.
You can see function 1: and function 2: are original function in my common.php file and this function return the normal figure's for session_id and i want to return session_id as md5 salted hash or base_64.
Thanks
First you should understand, what a session-id is for. Normally the server will not recognize, that a user has already done some actions on a website, each request is like a new visit. To remember a user and his actions, the server stores them together with a random number, the session-id.
This session-id will be passed to the browser, and if the user e.g. presses a button, this session-id is handled back to the server. Now the server can look for the stored actions with this number and therefore will "remember" the user.
In your example you took the session-id, destroyed it with a one way hash function, and passed it to the browser. When the browser handles back this invalid session-id, the server has no chance to find the stored actions with this invalid number.
That said, the session-id is only a number to refind the already stored information on the server. It does in no way improve security, when you alter this number, because the browser will just send back what he gets, and the server has to recognize it, whether he previously encrypted/obfuscated it or not.
If your session-ids are predictable, like 203, 204, ..., then you should find the piece of code which generates such inappropriate numbers and modify this code, so it produces "truly" random numbers.
You first have to check if the crypt() method has MD5 support, and then pass the string to encrypt as well as the salt, beginning with $1$. See crypt() on PHP.net.
if (CRYPT_MD5 == 1) {
$saltedHash' . crypt($umSar, '$1$waka_wak$') . "\n";
}
Note that the salt must be 12 characters long for MD5.
If you're thinking of de-crypting the online-session-id you encrypted in function get_current_online_session_login() that's not not the purpose of md5 hashing.
If you want to encrypt/decrypt, u can use functions like mcrypt_decrypt,mcrypt_encrypt and base64_encode,base64_decode..
example answer: encrypt/decrypt password
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
here is the code for adding to database:
<?php
/*Config*/
Sounds like something that should be able to be easily accomplished using a PHP session variable.
Just use sessions and set a session variable (call it posted or something) and if that variable is set, don't allow the user to post (hide the submit button or use a PHP if-statement in your javascript to only perform the action when that variable is not set).
The session will be cleared when the user closes the browser.
As a possible example, in your PHP code for adding to the database, just put this at the beginning:
session_start();
if (isset($_SESSION['posted']))
die("posted");
$_SESSION['posted'] = true;
EDIT :
You just need to add another else if statement. It will look something like this:
if(response == "knownudid"){
document.getElementById('udid_message').innerHTML = '<br><i><font color="red">This UDID has already been inserted and it is valid.</font></i>' ;
}else if(response == "noudid"){
document.getElementById('udid_message').innerHTML = '<br><i><font color="orange">Please, enter your UDID.</font></i>' ;
}else if(response == "errudid"){
document.getElementById('udid_message').innerHTML = '<br><i><font color="red">It seems this UDID is not correct. Please check for typo.</font></i>' ;
}else if(response == "validatedudid"){
document.getElementById('udid_message').innerHTML = '<br><i><font color="green">This UDID has been found as an invalid one. Now it is valid.</font></i>' ;
}else if(response == "posted"){ // Here is the new one
document.getElementById('udid_message').innerHTML = '<br><i><font color="red">You have already posted a UDID for this session.</font></i>' ;
}else{
document.getElementById('udid_message').innerHTML = '<br><i><font color="green">UDID <b>'+response+'</b> successfully inserted.</font></i>';
}
With some nice jQuery or js you could hide the form after the user submit.
Having the javascript within the HTML elements is bad, move it into the <script> tags or even better, a separate .js file.
For HTML5 browsers, placeholder is a much more elegant way of providing instructions for text fields.
If you're using AJAX to submit the form, within your function insert_udid() add:
.
document.getElementById('your_button_or_form').disabled = true;
// or document.getElementById('your_form').style.visibility = 'hidden';
...otherwise, you'll need for the php code to disable or omit the form from the response HTML.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I have a php page from where my users log-in to the application. It is working fine.
Yesterday, all of a sudden the users were able to login but were forced out and redirected to the login page again.
My database has logged in the user's login timings and this problem was automatically solved after about 2 hours.
Why will like this happen?
In the following code it will check for the session value and if it is not found then redirect to the error page.
Yesterday, it was redirecting to error page even if the session value was set.
<?php
if($_SESSION['ucd']<>"" && $_SESSION['sid']<>"" && $_SESSION['sid']<>0)
{
$query="select count(*) from active_sessions where user_cd='".$_SESSION['ucd']."'
and session_no='".$_SESSION['sid']."' and START_TM like DATE_FORMAT(now(),'%Y-%m-%d%')";
//echo $query;
$cnt=$dbop->select($query);
if($cnt[0] == '0')
{
$sender = "sender=".urlencode($_SERVER['PHP_SELF']);
session_unset();
header("Location:../login/error.html?$sender");
die;
}
else{
$query = "update active_sessions set LAST_ACTIVITY = NOW() WHERE SESSION_NO = ".$_SESSION['sid'];
mysql_query($query);
?>
<?php
}
}
else
{
$sender = "sender=".urlencode($_SERVER['PHP_SELF']);
session_unset();
header("Location:../login/error.html?$sender");
die;
}
?>
I don't see session_start() anywhere in your code.