1

Is there any way a user can change the vaules of your code in php? Let's assume they have a full source code of my webpage.

// make the connection
$dbhost = 'localhost';
$dbuser = 'user';
$dbpass = 'password';
$db = "db";
$conn = new PDO("mysql:host=$dbhost;dbname=$db", $dbuser, $dbpass);
// set errors
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// get the data
$stmt = $conn->prepare("select username from usernames where " . $number . " = '$session'");
$stmt->execute();
$row = $stmt->fetch();
$username =  $row[0];

if ($username == "superuser") {
// code to view secure information and make changes to people accounts
}

Is there any way they can change their username to the "superuser"?

I am planning on being able to quickly view and edit people's account details for customer service options in the secure code part, so I don't want some random user being able to view and edit other users data.

Thanks

Gumbo
  • 643,351
  • 109
  • 780
  • 844
ZMH Tech
  • 23
  • 8
  • 5
    Where are `$number` and `$session` set? – D4V1D Jul 22 '15 at 00:53
  • Try viewing source in your browser with e.g. Ctrl-U. Do you see PHP code there? – Nathan Tuggy Jul 22 '15 at 00:53
  • See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1. You are open to SQL injections. – chris85 Jul 22 '15 at 00:55
  • No their is no PHP code in the browser. The $session is in a cookie, but it is 50 char long so it is not guessable. It is basically like using sessions in php. I am just wondering if their is anyway someone can hack the $username variable – ZMH Tech Jul 22 '15 at 00:57
  • if they have the mysql login info and then a shell access on the server, yes. Then you can access mysql command line style. Generally not a good idea to give out credentials of any sort. – ArtisticPhoenix Jul 22 '15 at 00:57
  • okay so if they cant get the login info (they should not be able to) then it is perfectly okay to allow the superuser to edit anyone's account on my website. (the superuser of course will be me and a few customer service people) – ZMH Tech Jul 22 '15 at 01:00
  • You still haven't told us where `$number` and `$session` are initialized. Without that we have no idea if they're vulnerable to SQL injection or not. We'd need to know how they're being initialized. – Sherif Jul 22 '15 at 01:01
  • unless the page is https, a cookie passes as plain text over the network and could be intercepted. –  Jul 22 '15 at 01:03
  • depends what you mean by "secure information" I would never store CC data, and never passwords in plaintext. The reason is that some users may use the same password on many sites, so you customer service guy becomes a liability if he knows the password. This is different then having a way around the login using an admin account. All you need to do is ask yourself this question, is this data accessible publicly. Example would be name and address, a phone book has this data in it. That's generally not to risky. – ArtisticPhoenix Jul 22 '15 at 01:03
  • In any case, you already look like you're well on the right track to being vulnerable to an SQL injection vector given the example code, the way in which the question is phrased, and the dubious stance of being averse to answering the first comment. – Sherif Jul 22 '15 at 01:04
  • 1
    @Sherif - this is a good example ` usernames where " . $number . " = '$session'" ; ` that's insecure, as is ` usernames where " . $number . " = :sesson" ` any use of php $var inside sql should be avoided. Id put this in `1 --` and run it ;-) , then the query is this ` "select username from usernames where 1 --comments" ` – ArtisticPhoenix Jul 22 '15 at 01:08
  • okay so I am seeing that I am vulnerable to the SQL injections. does something like this fix that http://php.net/manual/en/pdo.prepared-statements.php also yes the important info is hashed with a salt, but I was just wondering is their anyway someone can inject "superuser" into the $username variable? thanks for all your help everyone – ZMH Tech Jul 22 '15 at 01:18
  • So... You talking about using an user who got more than just the required rights set, getting out of control of your FTP-Account and using non encoded PHP and if this isn't enaugh you got your full connection information public in your Webspace. This means the whole scenario happens anytime your php-interpreter fails. So if you dont have any emergency plans, not even school-project security standards - why Start thinking about security now? – SophieXLove64 Jul 22 '15 at 01:31

2 Answers2

9

Id really suggest fixing your sql, just using PDO does not guarantee security, any use of php variables in the body of the sql should be avoided

"select username from usernames where " . $number . " = '$session'"

This is not secure either

 "select username from usernames where " . $number . " = :session"

What happens if $number becomes username = 'superuser' -- 

 "select username from usernames where username='superuser' -- = :session"

Anything after the -- is a comment in sql much like // in php. And suddenly I am a supperuser. Yea me, it can and does happen that easily.

This is the correct way,

 "select username from usernames where session_id = :session"

Not sure what $number is, the point is no php variable interpolation in the sql body. I hate to rail on ( no secretly I love it ) but it's essential to use PDO properly. I see code with the order by 'ASC' 'DESC' posted from a webpage and injected with no thought into PDO, and it's no more secure then MySQL old style, less even because they thought it was secure.

for example 

"select username from usernames where username=1 order by $order"

Think what happens if order is this

"Desc; Drop table usernames;"

You could filter the data with like an if then for example

if( strtoupper($_POST['order']) ==  'DESC' ){
      $order = 'DESC';
}else{
      $order = 'ASC';
}

But you have to be Extremely careful whenever you use a php variable in any form of sql. And it's generally best avoided. You'll notice in the above the user data never gets put in the sql, it is used only when evaluating the if condition.

Ok as for the actual problem at hand, I would separate the admin section completely, separate user table, separate session data, separate everything. There are a few reasons here, Most importantly is that you don't have to worry about admin functionality leaking over to a normal user account. It would be easier to be logged in as both an admin and a user if the login sessions are stored separately. You could make an admin link login as ( user ) for example without knowing their password. You can log admin actions without getting it polluted with user's data. You could have various levels of admin users, again with no worry that a normal user will gain access to this ability because they are separate. It's a big job to do it right.

or can I legitly build the superuser account so I can access the data from a account inside of my website

This doesn't mean to store their credit card numbers and then peek at them, but it's your site ( you can make it however you want ), so that is implied, there are limits of course, like someone comes over to your house you cant rob them or sell their personal information without them knowing etc.... They have a certain expectation of security, a certain expectation on how you handle purchase and billing information for example. But if it's for support or legitimate business reasons, that's just good customer support to see what they do ( with log in as type ability ). Now logging in as them and running their bill up is generally going to be frowned on, but you get the idea.

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38
  • 1
    One liner in php is actually `//` not.. `\\\` . – Spooky Jul 22 '15 at 01:27
  • @Spooky - so it is. I blame dyslexia on that one, – ArtisticPhoenix Jul 22 '15 at 01:28
  • thanks @ArtisiticPhoenix so if I fix the mysql code their should be no way for someone to modify the $username. also what is your take on the whole customer support thing anyways, for now it is just going to be me, so is it more secure for me to just go through the .sql in the server, or can I legitly build the superuser account so I can access the data from a account inside of my website? – ZMH Tech Jul 22 '15 at 01:31
  • I would make a entirely separate admin system. Then you keep the seperation of the user and admin system. You may want levels of administration, and logging of what admin does what. Depending on your coding ability and/or how much money you have there are professional products that do that exact thing. – ArtisticPhoenix Jul 22 '15 at 01:34
  • yes of course everything would be hashed for the sensitive stuff. Thanks for your help.Yes I think the separate functions would be better as well. – ZMH Tech Jul 22 '15 at 02:04
  • There are professional member management softwere that does just this kind of thing. I don;t know of any free ones off the top of my head though. – ArtisticPhoenix Jul 22 '15 at 02:06
  • @ ArticticPhoenix .. damn that dyslexia! :D – Spooky Jul 22 '15 at 06:28
1

you could use filter_values() before passing the data to SQL statement.

Ananda Theerthan J
  • 13
  • 5