-1

I have created the PHP code:

<?php

  include("../config.php");

  if(!isset($_COOKIE["sessionid"])) {
      header("location:../error_pages/403.php");
  } else {
      $value = $_COOKIE["sessionid"];
      $query = "SELECT * FROM users WHERE sessionid = ?";

      $stmt = $conn->prepare($query);
      $stmt->bind_param("s",$value);
      $stmt->execute();
      $result = $stmt->get_result();

      $rowcount = $result->num_rows;
      if ($rowcount != 1 ) {
          header("location:../error_pages/403.php");
      } else {
          $file = "/path/to/file/";
          header('Content-Description: File Transfer');
          header('Content-Disposition: attachment; filename='.basename("File_Name"));
          ob_clean();
          flush();
          readfile($file);
      }
  };
?>

I'm wondering if there is a way the sessionid cookie could be manipulated to allow for SQL injection. As well as whether this download is secure. The file is not stored in a publicly accessible folder.

To prevent session stealing I'm serving the login page only over TLS, is there another method sessions could be stolen?

Joss Bird
  • 295
  • 1
  • 4
  • 19
  • If someone can read your cookie (physically, or trough some form of xss, or any other methdo), you can rip their sessionid, making session-stealing easy. That's not very chill. – Nanne Jun 01 '17 at 11:24
  • @Nanne How could I go about preventing session stealing? – Joss Bird Jun 01 '17 at 11:32
  • Stack overflow is so prone to elitism. Why was this down-voted again? – Joss Bird Jun 19 '17 at 21:44

1 Answers1

1

By using a query parameter, you're safe from SQL injection.

Your code might be vulnerable to session hijacking. Here are some tips and resources:

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828