0

People have been telling me recently that my code is very vulnerable, but I can't see why. And if it was it would be hacked already I guess. Now. Why is vulnerable? How can I fix it?

I'm not so good with SQL. It's my friend who has written this code but we really need help. Please don't say "do this" because I won't understand the hard terms you use. Please help me fix it, if it is a problem and show me what you edit.

Here's the code for the register. 

<meta charset="UTF-8">
<?php

 # FORMULÄR
 if(isset($_POST['create'])) {

  # KONTROLL: Alla obligatoriska fälten är inte ifyllda
  if(empty($postUserReg) OR empty($_POST['pass_reg']) OR empty($postEmailReg)) {
   $register_data[] = 0;


  # KONTROLL: Alla obligatoriska fälten är ifyllda
  } else {

   # DATABAS: Hämta data från 'members'
   $get_userinfo = mysql_query("SELECT user FROM members
           WHERE user = '".$postUserReg."'
          ") or die(mysql_error());

   # DATABAS: Hämta data från 'members'
   $get_emailinfo = mysql_query("SELECT email FROM members
            WHERE email = '".$postEmailReg."'
           ") or die(mysql_error());


   # KONTROLL: Användarnamnet innehåller ogiltiga tecken
   if(!preg_match($validateUsername, $postUserReg)) {
    $register_data[] = 1;

   # KONTROLL: Användarnamnet finns redan i databasen
   } elseif(mysql_num_rows($get_userinfo) == 1) {
    $register_data[] = 2;

   # KONTROLL: Epost-adressen innehåller ogiltiga tecken
   } elseif(!preg_match($validateEmail, $postEmailReg)) {
    $register_data[] = 3;

   # KONTROLL: Epost-adressen finns redan i databasen
   } elseif(mysql_num_rows($get_emailinfo) == 1) {
    $register_data[] = 4;
   }

  }



  # KONTROLL: Inga fel hittades
  if(!isset($register_data)) {

   # DATABAS
   mysql_query("INSERT INTO members(user, pass, email, date_registred, info_ipaddress)
       VALUE('".$postUserReg."', '".$postPassReg."', '".$postEmailReg."', NOW(), '".$userIP."')
      ") or die(mysql_error());



   # DIRIGERING
   header("Location: ".url('message/registred'));
   exit;

  }

 } else {

  for($i = 0; $i < 5; $i++) {
   $back[$i] = '';
  }

 }



 # Välj vilket felmeddelande ska vara vart
 $register_error_list[0] = $messageEmptyFields;
 $register_error_list[1] = $messageUsernameInvalid;
 $register_error_list[2] = $messageUsernameExists;
 $register_error_list[3] = $messageEmailExists;
 $register_error_list[4] = $messageEmailInvalid;

 # Behåll datan i textfälten
 $back[2] = $postUserReg;
 $back[3] = $postEmailReg;

?>

And here's the code for the login. I guess both have many vulnerablitys

<meta charset="UTF-8">
<?php

 # FORMULÄR
 if(isset($_POST['login'])) {

  require_once($dirRequired.'/recaptchalib.php');
  $privatekey = $CAPTCHAprivate;
  $resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]);

  # KONTROLL: Alla obligatoriska fälten är inte ifyllda
  if(empty($postUser) OR empty($_POST['pass']) OR empty($_POST['recaptcha_response_field'])) {
   $login_data[] = 0;


  # KONTROLL: Alla obligatoriska fälten är ifyllda
  } else {

   # DATABAS: Hämta data från 'members'
   $get_userinfo = mysql_query("SELECT user FROM members
           WHERE user = '".$postUser."'
          ") or die(mysql_error());
   $userinfo = mysql_fetch_assoc($get_userinfo);

   # DATABAS: Hämta data från 'members'
   $get_passinfo = mysql_query("SELECT user, pass FROM members
           WHERE user = '".$postUser."'
           AND pass = '".$postPass."'
          ") or die(mysql_error());

   # DATABAS: Hämta data från 'members'
   $get_blockinfo = mysql_query("SELECT id, user, rank FROM members
            WHERE user = '".$postUser."'
            AND pass = '".$postPass."'
            AND rank = '0'
           ") or die(mysql_error());


   # KONTROLL: Användarnamnet innehåller ogiltiga tecken
   if(!preg_match($validateUsername, $postUser)) {
    $login_data[] = 1;

   # KONTROLL: 
   } elseif(strcmp($userinfo['user'], $postUser) == 1) {
    $login_data[] = 2;

   # KONTROLL: Användarnamnet finns inte i databasen
   } elseif(mysql_num_rows($get_userinfo) == 0) {
    $login_data[] = 3;

   # KONTROLL: Lösenordet matchar inte användarnamnet
   } elseif(mysql_num_rows($get_passinfo) == 0) {
    $login_data[] = 4;

   # KONTROLL: Kontot har blivit spärrat
   } elseif(mysql_num_rows($get_blockinfo) == 1) {
    $login_data[] = 5;

   # KONTROLL: Webbläsaren tillåter inte några kakor
   } elseif(isset($_POST['autologin']) AND empty($_COOKIE)) {
    $login_data[] = 6;

   # KONTROLL: CAPTCHA'n är inte korrekt
   } elseif(!$resp->is_valid) {
    $login_data[] = 7;
   }

  }



  # KONTROLL: Inga fel hittades
  if(!isset($login_data)) {

   # DATABAS: Hämta data
   $get_logininfo = mysql_query("SELECT id, user, rank FROM members
            WHERE user = '".$postUser."'
            AND pass = '".$postPass."'
           ") or die(mysql_error());
   $login = mysql_fetch_assoc($get_logininfo);


   /* - - - - - - - - - - */


   # DATABAS: Uppdatera data
   $update = mysql_query("UPDATE members SET
           is_online = '1',
           date_loggedin = NOW(),
           info_ipaddress = '".encrypt($userIP)."'

           WHERE id = '".$login['id']."'
          ") or die(mysql_error());


   /* - - - - - - - - - - */


   # Automatisk inloggning
   if(isset($_POST['autologin'])) {
    setcookie('ds_autologin', encrypt($login['user'].' ¤ '.MD5($_POST['pass'])), time()+360000);
   }


   /* - - - - - - - - - - */


   # SESSION: Medlem
   $_SESSION[$sessionName] = array(
           'id' => $login['id'],
           'rank' => $login['rank'],
           'ip' => encrypt($userIP)
             );


   /* - - - - - - - - - - */


   # KONTROLL
   if($admin['checkbox_allowlogs'] == 1) {

    # HANTERA: Logga besökarens händelse
    handle_log(
         $login['id'],       # Användar-ID
         '',                 # Torrent-ID
         '',                 # Kommentar-ID
         $filename,          # Filnamn

         # Beskrivning
         'Loggade in på sitt konto',

         '',                 # DATUM: Sökord
         '',                 # DATUM: Registrerad
         $currentDate,       # DATUM: Senast inloggad
         $currentDate        # DATUM: Senast aktiv
        );

   }


   /* - - - - - - - - - - */


   # DIRIGERING: Skicka besökaren till vald sida
   header("Location: ".url(''));
   exit;

  }

 } else {

  for($i = 0; $i < 8; $i++) {
   $back[$i] = '';
  }

 }



 # Välj vilket felmeddelande ska vara vart
 $login_error_list[0] = $messageEmptyFields;
 $login_error_list[1] = $messageUsernameInvalid;
 $login_error_list[2] = $messageUsernameCaseSensitive;
 $login_error_list[3] = $messageUsernameNotExists;
 $login_error_list[4] = $messagePasswordNotMatch;
 $login_error_list[5] = $messageAccountBlocked;
 $login_error_list[6] = $messageCookieDisabled;
 $login_error_list[7] = $messageWrongCAPTCHA;

 # Behåll datan i textfälten
 $back[4] = $postUser;

Thank you.

Yguy
  • 1
  • 2
  • How? It's not because I can't understand. That's why I need your help @Shadow – Yguy Mar 07 '16 at 06:43
  • The general concepts are described in the linked topic. Based on that you have to be able to understand the theory. You choose one of the implementation methods, then you try yourself to implement it in your code. If you encounter any issues during implementation, then you can ask here for help specifically on that problem. – Shadow Mar 07 '16 at 06:54
  • Your example code doesn't seem complete (ie, where do $postUser and $postPass get set?). However your code does look open to SQL injection (try setting the password to _' OR 1 = 1 -- anything_ ). But logically you appear to check the name, then the name and password, then the name, password and rank. If you have a match on user name then it is not going to reach the 3rd IF statement to check $get_userinfo . – Kickstart Mar 07 '16 at 12:31

0 Answers0