1

I have created a CMS with a ban feature to ban accounts who violate the rules.

However, when I ban someone, I will ban the user but also myself. The unstyled text will appear only if you're an administrator:

You have been banned.

and if you're an user which is being banned, you'll get

Your account has been disabled and cannot be used anymore.
You find the details below.

Date: 13-04-2016 16:06:27
Reason: Violation of the EULA.

If you have questions, feel free to contact the administrator.

And now it's getting spooky: the text above is the only text I have in my scripts. The "You have been banned" is some old, pre-alpha text but it's still spooking around. So for the record, I have deleted this text a long time ago. I have searched every file, every include and every database.

I have even done a map search for the "You have been banned" sentence. No luck, he couldn't find anything! I have also restarted XAMPP and the databases and I also have logged out and logged in again; didn't work either.

Details about the issue.

  • Text is fully blanco, no styles or anything.

  • Only appears at admin.php

  • Appears when a user is banned - I have double checked the ban script and everything is running OK. Queries are pointing to the right database, etc.

Because the text only appears on admin.php, we need to take a look at admin.php. It's a file of 520 lines.

The ban script is on the top:

$sql = "SELECT * FROM bans WHERE user_name='".$_SESSION['user_name']."'";
$result = $conn->query($sql);
if(mysqli_num_rows($result) != 0) {
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
            $blocked = "
            <div class='modal-inner' style='width:500px'>
            <h2>Account disabled</h2>
            Your account has been disabled and cannot be used anymore.<br />You find the details below.<br /><br />
            Processed: ". $row["user_dateofban"] ."<br />
            Reason: ". $row["reason"] ."<br /><br />
            If you have questions, feel free to contact the administrator.
            </div>
            ";
            exit($blocked);
        }
    }
}

Hope someone can help me out, it's super frustrating!

admin.php

the top.php & bot.php both are just html files. No php.

<?php
include("loginsys.php");

if ($login->isUserLoggedIn() == true) {

//ban config
$sql = "SELECT * FROM bans WHERE user_name='".$_SESSION['user_name']."'";
$result = $conn->query($sql);
if(mysqli_num_rows($result) != 0) {
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
            $blocked = "
            <div class='modal-inner' style='width:500px'>
            <h2>Account disabled</h2>
            Your account has been disabled and cannot be used anymore.<br />You find the details below.<br /><br />
            Processed: ". $row["user_dateofban"] ."<br />
            Reason: ". $row["reason"] ."<br /><br />
            If you have questions, feel free to contact the administrator.
            </div>
            ";
            exit($blocked);
        }
    }
}

    if(isset($_SESSION['user_rank']) && $_SESSION['user_rank'] == "3") {
if(isset($_GET["page"]) && $_GET["page"] == "customization") {
    include("assets/top.php");

            if(isset($_POST['editcustom'])) {
                $sql = "UPDATE customization SET iam='".$_POST["iam"]."', iam2='".$_POST["iam2"]."', about='".$_POST["about"]."', about2='".$_POST["about2"]."', about3='".$_POST["about3"]."', recentwork='".$_POST["recentwork"]."', recentwork2='".$_POST["recentwork2"]."', getintouch='".$_POST["getintouch"]."', getintouch2='".$_POST["getintouch2"]."', address='".$_POST["address"]."', phone='".$_POST["phone"]."', email='".$_POST["email"]."', sendbutton='".$_POST["sendbutton"]."', copyright='".$_POST["copyright"]."'";
                $updateuser = $conn->query($sql);
                if ($updateuser) {
                    echo '<div class="alert alert-success">Settings saved.</div>';
                } else {
                    echo '<div class="alert alert-danger">Something went wrong executing the query. Try again.</div>';
                }
            }

    $sql = "SELECT * FROM customization LIMIT 1";
    $result = $conn->query($sql);
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
            ?>
<h1>Header</h1>
<form method="post">
<table>
    <tr>
        <td>Header 1</td>
        <td><input type="text" value="<?php echo $row["iam"]; ?>" name="iam" />
    </tr>
    <tr>
        <td>Header 2</td>
        <td><input type="text" value="<?php echo $row["iam2"]; ?>" name="iam2" />
    </tr>
</table>
<h1>About</h1>
<table>
    <tr>
        <td>About heading</td>
        <td><input type="text" value="<?php echo $row["about"]; ?>" name="about" />
    </tr>
    <tr>
        <td>About text</td>
        <td><input type="text" value="<?php echo $row["about2"]; ?>" name="about2" />
    </tr>
    <tr>
        <td>About button</td>
        <td><input type="text" value="<?php echo $row["about3"]; ?>" name="about3" />
    </tr>
</table>
<h1>Recent Work</h1>
<table>
    <tr>
        <td>Recent Work heading</td>
        <td><input type="text" value="<?php echo $row["recentwork"]; ?>" name="recentwork" />
    </tr>
    <tr>
        <td>Recent Work button</td>
        <td><input type="text" value="<?php echo $row["recentwork2"]; ?>" name="recentwork2" />
    </tr>
</table>
<h1>Contact</h1>
<table>
    <tr>
        <td>Heading</td>
        <td><input type="text" value="<?php echo $row["getintouch"]; ?>" name="getintouch" />
    </tr>
    <tr>
        <td>Text</td>
        <td><input type="text" value="<?php echo $row["getintouch2"]; ?>" name="getintouch2" />
    </tr>
    <tr>
        <td>Address</td>
        <td><input type="text" value="<?php echo $row["address"]; ?>" name="address" />
    </tr>
    <tr>
        <td>Phone</td>
        <td><input type="text" value="<?php echo $row["phone"]; ?>" name="phone" />
    </tr>
    <tr>
        <td>Email</td>
        <td><input type="text" value="<?php echo $row["email"]; ?>" name="email" />
    </tr>
    <tr>
        <td>Button text</td>
        <td><input type="text" value="<?php echo $row["sendbutton"]; ?>" name="sendbutton" />
    </tr>
</table>
<h1>Copyright</h1>
<table>
    <tr>
        <td>Copyright</td>
        <td><input type="text" value="<?php echo $row["copyright"]; ?>" name="copyright" />
    </tr>
</table>
<input type="submit" value="Save changes" name="editcustom" />
</form>
            <?php           
        }
    } else {
        echo "No customization yet.";
    }

    include("assets/bot.php");
} else {
?>
<iframe src="admin.php?page=dashboard" style="width:700px;height:500px;">
    Your browser doesn't support iframes. Please upgrade.
</iframe>
<?php
}
    } else {
        echo "Error: No permissions";
    }
} else {
    echo "Error: Not signed in";
}
?>
J. Doe
  • 31
  • 4
  • So if you change the file to just `hello` or something you still get `You have been banned.`? You should also use prepared statements. – chris85 Apr 13 '16 at 15:08
  • @chris85 Yes, still getting the error after changing the file name – J. Doe Apr 13 '16 at 15:16
  • Not the name, the content...unless you loaded the newly named file and got the same output? – chris85 Apr 13 '16 at 15:20
  • @chris85 And what also weird is, when you go to `/admin` it will redirect to `/admin/pages/index.html`, even though there's no `/admin` folder and there's no redirect in any .htaccess file. I think my localhost may be haunted – J. Doe Apr 13 '16 at 15:20
  • @chris85 Yes I've changed the content also to "hello", the banned error goes away. So it must be somewhere in the file. I will post my admin.php file. – J. Doe Apr 13 '16 at 15:22
  • Is it a remote host or is this a local server on your own machine? – Martin Apr 13 '16 at 15:28
  • 1
    And with all due respect, the phrase "your browser does not support iframes. Please upgrade" is akin to "your car doesn't support using leaded fuel, please upgrade.". Various browsers have strict restrictions or even refusal to use iframes due to various security concerns. – Martin Apr 13 '16 at 15:31
  • You grep'd the whole code base for `You have been banned`? This is open to SQL injections, customization update also lacks a `where` clause so all records will be updated.. Also put in debugging statements to know that the control block you think you are in you actually are in. – chris85 Apr 13 '16 at 15:31
  • Also check the database for the text. It may be being appended somewhere.... – Martin Apr 13 '16 at 15:31
  • You need to clear and scrape clean your SESSION data too, I think the text is stuck in a session variable, somehow.... – Martin Apr 13 '16 at 15:34
  • also look inside `loginsys.php` – Martin Apr 13 '16 at 15:38
  • @Martin I think that would be the case, but I'm still learning PHP, how can I clean my session data? – J. Doe Apr 13 '16 at 15:38
  • `$_SESSION = array("","");` somewhere in a page on your site, after `session_start();` obviously. But just run this once as it will clear session data every time the code is executed. BEFORE running this might be better to do `print_r($_SESSION);` to see if the string is in the session, first. – Martin Apr 13 '16 at 15:38
  • @Martin I think I'm out of luck. The text is still there, when it's not in the code or in any database. This is spooky and I have never seen this before – J. Doe Apr 13 '16 at 15:43
  • is your code all local or on a server somewhere? – Martin Apr 13 '16 at 15:44
  • @Martin It's all local. – J. Doe Apr 13 '16 at 15:50
  • Edit your question and show what is inside `loginsys.php` (remove passwords, obviously) . Show every line of code that appears on admin.php *before* the strange message appears. – Martin Apr 13 '16 at 15:55
  • have you made any changes to any `.htaccess` files? (I'm not sure if these do much on local servers but worth a pop) – Martin Apr 13 '16 at 15:59

1 Answers1

0

This is a small guide for improving your code, through which you will probably find the error evaporates or is more easily identified:

In no particular order:

  • run Error Logging on your PHP!!! Seriously. One of the very first fundamentals to learn.

  • You should be writing in HTML5 which means your code needs the correct syntax so <br/> becomes <br> and /> closing of tags does not need the slash.

  • Use correct attributes in your HTML, your <form> should have enctype and action and accept attributes as a minimum. Likewise other HTML tags can do with having more correct ettributes associated with them.

    • Stop using iframes , they are not as widely supported now as have serious issues with XSS. Instead use CSS and/or PHP includes.

  • Try and avoid using select * and instead specify the name of each MySQL column you need to select. It is a bit more long winded but saves lots of 'umms' and 'aahs' on larger projects.

  • Good points: You are escaping PHP variable placements correctly and you are using Object Orientated DB connections, BUT the way you are setting up your database queries is very unsafe and should be improved as a priority:

    • Instead of putting the variable into the Query string directly you want to bind it to the query. please research this with prejudice (different methods depending on your connection type).

    • Leading on from the point above you really, really should be cleaning your input / POST data as much as reasonably possible, never ever trust any user input, ever. The $_POST values can be anything, so use a REGEX cleaner or a PHP cleaning function to remove unwanted / damaging characters from form and text inputs.

  • Add lines to query your MySQL commands and feedback errors to your eyes.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132