1

I have a website, im using sessions for the login. In every pages of my admin, I have a checker if the user has logged in or not. I have this code 

if(!$_SESSION['loggedin'] && !$_SESSION['userid'])
{
  header('Location:login.php');
}
else
{
 //proceed loading the page
}

Now what happen now, someone is messing up with our site. He/She is entering some vulgar texts on the website like ... All disrespectful words and its so frustrating because the website is accessible to the public. I believe the username and password was being hacked. So i asked all admin users to changed all passwords and i added a logger to monitor who will update the content of the website. I record the userid of the logged in user and its post. After changing passwords, the same thing happen again, content was updated by the hacker or whoever he is.

I checked my log, the user id of the hacker is 0. How is that possible and how do i stop him? Makes me wonder what did he do because it is in my condition at the very top of the page that if $_SESSION['userid'] has no value, it should redirect them to the login page.

Currently i put the website offline because the hacker is getting worst and worst. I was able to find out the ip address of it.

This is my user authentication

$user=trim($_POST['username']);
$pass=trim(stripslashes($_POST['password']));
$sql="SELECT * FROM users WHERE user='$user' AND pass='$pass'";
$qry=mysql_query($sql) or die (mysql_error());
if( mysql_num_rows($qry) )
{
  $row=mysql_fetch_assoc($qry);
  $_SESSION['userid'] =$row['userid'];
  $_SESSION['loggedin']=1;  
  header('Location: welcome.php');
}
else
{
      header('Location:login.php?error=1');
}
iblue
  • 29,609
  • 19
  • 89
  • 128
user1149244
  • 711
  • 4
  • 10
  • 27

2 Answers2

4

Make sure to always call exit after a Header('Location: ...') call. Otherwise the script will continue execution after the header call. it will continue as far as sending everything after the header call to the browser, but regular browsers will see the location header and do a redirect. Not-so-nice users may circumvent the location call and can surf your "protected" page as they wish!

So, don't forget to always end execution immediately: 

header('Location:login.php');
exit;
Emil Vikström
  • 90,431
  • 16
  • 141
  • 175
3

As @nhahtdh observed, you have an obvious SQL injection. Consider what happens if someone where to enter admin' OR 1=1; -- into your username field (yes, people do indeed try these sorts of things). Your SQL string gets converted into something like this:

SELECT * FROM users WHERE user='admin' OR 1=1; -- AND pass='junk'

Which will select all of the users from your user table. The userid of 0 is, presumably, the first userid in your SQL table.

Please have a look this excellent answer that explains how to avoid SQL injections.

Community
  • 1
  • 1
ig0774
  • 39,669
  • 3
  • 55
  • 57
  • Hi, i tried inputting admin' OR 1=1; -- in the username box and submit the form. I got a sql synthax error. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND pass='' at line 1 – user1149244 Jun 27 '12 at 15:18
  • 1
    @user1149244: Sorry, yes, there should be a space after the two dashes `--`. so you end up with "`admin' or 1=1; -- `". Note that it if your page displays that SQL error, that is also a serious security concern. That may be how the hacker figured out how to hack your site in the first place. – ig0774 Jun 27 '12 at 16:51
  • You are right, was able to login with this admin' or 1=1; -- " ... omg.. this is scary. – user1149244 Jun 27 '12 at 18:28
  • 1
    A better technique 1. Retrieve the record where user='$user' and nothing else. Then compare in PHP the retrieved password with the $_POSTed password. – bart Jul 02 '12 at 17:06