Security check — PHP — IT news, forums, messages

You are here: Security check « PHP « IT news, forums, messages

Posted by Andy Pieters on 06/01/05 12:43

Hi all

I just got the ok from the client pertaining the disclosure of parts of the
code.

Basically I made admin and a user must be loged in in order to access any file
in that directory. (except index.php)

Here is the file index.php
<?php
require_once "../scripts/globals.php";
require_once "../scripts/database.php";

if(defined('DEBUG_LVL'))
error_reporting(DEBUG_LVL);
else
error_reporting(0);

function getShopDest($dest,$data)
{if( (array_key_exists('action',$data)) &&
($data['action']=='post_process'))
{if(array_key_exists('authorize',$data))
$dest=PAGE_ORDERMAN."?order=$data[authorize]&action=authorise";
elseif(array_key_exists('expedite',$data))
$dest=PAGE_ORDERMAN."?order=$data[expedite]&action=ship";
elseif(array_key_exists('deny',$data))
$dest=PAGE_ORDERMAN."?order=$data[deny]&action=deny";
elseif(array_key_exists('view',$data))
$dest=PAGE_ORDERMAN."?order=$data[view]";
}
return $dest;
}

$myDb=new verify(DB_HOST,DB_USER,DB_PASS,DB_DB);
if($myDb->LogedIn())
{$dest=PAGE_LOGIN_SUCCESS;
$dest=getShopDest($dest,$_GET);
header("Location: $dest");
die();}
$thispage=PAGE_LOGIN;
$message='';
$hiddens="\n\t";

$admin=ADMIN_STYLE;;

$old_name='';
if(array_key_exists('name',$_POST))
$old_name=htmlspecialchars($_POST['name']);

$valid=array('from','authorize','order');
#copy GET to POST
if(count($_GET)>0)
{foreach($_GET as $key=>$value)
if(in_array($key,$valid))
{$key=htmlspecialchars($key);
$value=htmlspecialchars($value);
$hiddens.=<<<___hid
<input type="hidden" name="$key" value="$value">\n\t
___hid;
}
}
elseif(count($_POST)>0)
foreach($_POST as $key=>$value)
if( ($key!=='login') && ($key!=='name') && ($key!=='pass') )
$hiddens.=<<<_hid_
<input type="hidden" name="$key" value="$value">\n\t
_hid_;
if( (array_key_exists('savereferer',$_GET)) &&
($_GET['savereferer']=='yes'))
{safeReferer($ref,$chksum);
$hiddens.=<<<_ref_
<input type="hidden" name="referer" value="$ref">\t
\t<input type="hidden" name="checksum" value="$chksum">
_ref_;
}

if(!empty($_POST['login']))
{#process request
if(isset($_POST['login']))
if($_POST['login']=='Login')
{$name=@$_POST['name'];
$pass=@$_POST['pass'];
#encode password
$pass=sha1(crc32(md5($pass)));
if($myDb->login($name,$pass,'users',$id))
{$dest=($id==777?PAGE_ROOT_LOGIN_SUCCESS:PAGE_LOGIN_SUCCESS);
#added new destinations for the store
$dest=GetShopDest($dest,$_POST);
if( (array_key_exists('savereferer',$_POST)) &&
($_POST['savereferer']=='yes'))
$dest=safeReferer($nothing,$empty,$dest);
header("Location: $dest");
die();}
else
{$message="Invalid login";}}}
elseif(!empty($_POST['cancel']))
{if(isset($_POST['cancel']))
if($_POST['cancel']=='Cancel')
{echo PAGE_PAGESTORE;
header("Location: ".PAGE_PAGESTORE);
exit();}}

echo <<<_EMPTY_FORM
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<link rel="stylesheet" href="$admin">
<title>Admin Login page</title>
</head>
<body class="newstore">
<div id="banner">
Admin Login
</div>
<form id="form1" action="$thispage" enctype="multipart/form-data"
method="POST">
$hiddens
<fieldset id="thefield">
<legend>Login</legend>
<label for="login_name">Name</label><br>
<input type="text" id="login_name" name="name" value="$old_name">
<p><label for="login_pass">Password</label><br>
<input type="password" id="login_pass" name="pass" value=""></p>
<input name="login" type="submit" value="Login"> <input type="submit"
name="cancel" value="Cancel">
_EMPTY_FORM;
if(!empty($message))
echo <<<_ERROR_FOUND
<div id="anerror" clear="all">$message</div>
_ERROR_FOUND;
echo <<<_EMPTY_FORM
</fieldset>
</form>
<div><a href="javascript:history.back(-1)">Back to the previous
page</a></div>
</body>
</html>
_EMPTY_FORM;
?>

And in every file in the directory /admin, I require the file login.php

Here is the file login.php
<?php
/* Original Flavor by Straight-A-Software
x_terminat_or_3@yahoo.fr
*/

/* Purpose of this file login check module

Specifics: to be required on each page that requires login

This script likes PHP 4
*/

#Version: 0.0a

require_once "globals.php";
require_once "database.php";

if(defined('DEBUG_LVL'))
error_reporting(DEBUG_LVL);
else
error_reporting(0);

$login_verify=new verify(DB_HOST,DB_USER,DB_PASS,DB_DB);

$verify=$login_verify->LogedIn();

if($verify===false)
{$where=AddGetVar(PAGE_LOGIN,'savereferer','yes');
header("Location: $where");
die();}

if(!defined('USER_ID')) define('USER_ID',$login_verify->userid());?>

And here are the relative parts of my database abstraction layer
(database.php)

class Login_Database extends database
{function login($name,$pass,$table,&$id)
{if(!$this->connected()) $this->halt();
#There is ONE builtin account that has UID 777
#Username root
#For the password, see your release documentation
if($name=='root' && $pass=ROOT_PASSWORD)
{$this->addHistory(777,true);
$this->doCookie(777);
$id=777;
return (bool) true;}
$query="SELECT `id`, `password`,`active` FROM `$table` WHERE `name`='$name'
LIMIT 1;";
$res=new_mysql_query($query,$this->dblink);
if(!$res)
{$this->addHistory($user,false);
return (bool) false;}
if(mysql_num_rows($res)!=1)
return (bool) false;
$res_array=mysql_fetch_assoc($res);
mysql_free_result($res);
if( ($res_array['password']==$pass) && ($res_array['active']=='1'))
{$id=$res_array['id'];
$this->addHistory($id,true);
$this->doCookie($id);
return (bool) true;}
$this->addHistory($name,false);
return (bool) false;}

function addHistory($user,$valid,$table=TBL_HISTORY)
{/*adds login(attempt) to the history databse
In case the login is successfull, only user id is shown */
#mysql date time format is YYYY-MM-DD HH:MM:SS
$timestamp=date("Y-m-d H:i:s");
$valid=($valid?'1':'0');
$ip=getDNSHost();
$query="INSERT INTO `$table`
(`date`,`ip`,`user`, `valid`)
VALUES
('$timestamp',
'$ip',
'$user',
'$valid');";
$res=new_mysql_query($query,$this->dblink) or $this->halt();}

function doCookie($id,$table=TBL_LOGINS,$code=null)
{if(is_null($code))
{$cookie=md5(mt_rand());
$timestamp=date("Y-m-d H:i:s");
$origin=getDNSHost();
new_mysql_query("DELETE FROM `$table` WHERE `userid`='$id';",
$this->dblink); #delete old data
$query="INSERT INTO `$table`
(`userid`, `login`, `cookie`, `origin`)
VALUES
('$id',
'$timestamp',
'$cookie',
'$origin' );";
new_mysql_query($query,$this->dblink) or $this->halt();}
else
$cookie=$code;

$expire=time()+SESSION_TIMEOUT; #end session in 10min
if(!(headers_sent()))
{setcookie('USERID',$id,false,HOST_MAINPATH,false,0);
setcookie('COOKIE_AUTH',$cookie,false,HOST_MAINPATH,false,0);}}}

class verify extends Login_Database
{var $uid=null;
function verify()
{if(!$this->Connected())
$this->database(DB_HOST,DB_USER,DB_PASS,DB_DB);}

function LogedIn($table=TBL_LOGINS)
{$table=mysql_escape_string($table);
if(!isset($_COOKIE['USERID']))
return (bool) false;
if(!isset($_COOKIE['COOKIE_AUTH']))
return (bool) false;
$userid=mysql_escape_string($_COOKIE['USERID']);
$cookie=$_COOKIE['COOKIE_AUTH'];
$cookie=mysql_escape_string($cookie);
$query="SELECT `cookie`, `origin`, `login` FROM `$table` WHERE
`userid`='$userid' LIMIT 1;";
$res=new_mysql_query($query,$this->dblink) or $this->halt();
if(!$res)
return (bool) false;
if(mysql_num_rows($res)!=1)
return (bool) false;
$cook=mysql_result($res,0,'cookie');
$cookiefrom=mysql_result($res,0,'origin');
$logdate=mysql_result($res,0,'login');
mysql_free_result($res);
#calculate time logintime+session_timeout
$unixmaxtime=strtotime($logdate)+SESSION_TIMEOUT;
if(time()>$unixmaxtime)
{#the session has expired, delete this record
new_mysql_query("DELETE FROM `$table` WHERE `userid`='$userid' LIMIT 1;");
#entry found in database, but
return (bool) false;}
if($cook===$cookie && $cookiefrom===getDNSHost() && time()<$unixmaxtime)
{$this->doCookie($userid,$table,$cook);
$this->uid=$userid;
$retval= (bool) true;
#this is a valid loged in user
#extend his time
$timestamp=date("Y-m-d H:i:s");
new_mysql_query("UPDATE `$table` SET `login`='$timestamp' WHERE
`userid`='$userid' LIMIT 1;", $this->dblink) or $this->halt();}
else
$retval=(bool) false;
return $retval;}

function userid()
{return $this->uid;}}

Thank you all for your time.

With kind regards

Andy
--
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
under the GPL2 and that are meant for use with a
php cli binary:

http://www.vlaamse-kern.com/sas/
--

--

Navigation:

Next in forum: Re: [PHP] PHP 5 Question about OO
Prev in forum: Re: [PHP] PHP 5 Question about OO
Thread view: Security check

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация