-1

Problem

I am building a panel for an admin for a web system. I have to make sure that hackers, if they have knowledge of the names of the files on this server cannot access certain pages directly without at least logging in. Now after looking at similar php code used to achieve this, i discovered that after you have verified the existence of the user from the database, you start a session and then you store a boolean variable indicating whether this user is logged in side the $_SESSION["loggedin"] as true. I did exactly that in my login.php file, and also included a conditional structure to check if user is logged in on top of my admin_upload.php file. It checks the value of $_SESSION["loggedin"].

What I Expected

I expected that whenever i enter the url to access diirectly the admin_upload.php file on the server without logging in, it would take me to login.php to start a session before i can view that page, instead it opens the page with values that am supposed to grab from login with session null.

Code

The login.php file is posted below

<?php
$conn=mysqli_connect("localhost","root","","rating");
if(!$conn){
    echo "Connection to database was unsuccesful";
}
$username="";
$password="";
$username=trim($_GET["p"]);
$password=trim($_GET["q"]);
//echo $password;
$sql="SELECT username from Admin where username="."'".$username."'";
//echo $sql;
$result=mysqli_query($conn,$sql);
if(mysqli_num_rows($result)>0){
    $pass="SELECT Password FROM Admin WHERE username="."'".$username."'";
    $real_qry=mysqli_query($conn,$pass);
    if(mysqli_num_rows($real_qry)>0){
        $row=mysqli_fetch_row($real_qry);
        $pass=$row[0];
        //echo $password;
        if(password_verify($password, $pass)){
          //start session
            session_start();
            //store the admn name in a session 
            $_SESSION["username"]=$username;
            $_SESSION["loggedin"]=true;
            echo "password verification passed";
        

        }else{
            echo "Incorrect password";
        }
    }
}else{
    echo "No account with that username was found";
}
?>

The admin_upload.php is posted below

<?php
session_start();
//initiaize the session
//check if the user is logged in
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true){
//redirect to welcome.php if false
        header("location: login.php");
    exit;
}
//session_start();
$name=$_SESSION["username"];
//if he is loged in then display images to be added
include "layout/product_add.php";

?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="materialize/css/materialize.min.css"/>
</head>
<body>
</html>

Any help to make this check if user is logged in and redirect accordingly is greatly appreciated, Thank You.

Son of Man
  • 1,213
  • 2
  • 7
  • 27
  • What is the problem with the current script? any error? – navnath Oct 15 '21 at 16:20
  • @navnath, yeah when i enter the url of the second file in the address bar, instead of the server checking to see if the user is logged in and redirect to login.php, it opens the page with null session variables, like username for example is empty – Son of Man Oct 15 '21 at 16:23
  • I guess this condotion make your problem: if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true). Because what about when variable is not set? – Marty1452 Oct 15 '21 at 16:25
  • @Marty1452, I did not think about that, correcting in a few. – Son of Man Oct 15 '21 at 16:30
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 15 '21 at 18:01
  • @Dharman, I am just querying data from the database not inserting so how am I vulnerable to SQL injection – Son of Man Oct 16 '21 at 03:07
  • 1
    It doesn't matter what the operation is. SQL injection happens when you concatenate PHP variables with SQL. – Dharman Oct 16 '21 at 08:03

1 Answers1

1

Your going to want to update

if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true){

with

if(!isset($_SESSION["loggedin"]) || !$_SESSION["loggedin"]) {

That verifies that the $_SESSION["loggedin"] is not set OR that its set and NOT TRUE then it will do your redirection

slashroot
  • 773
  • 1
  • 4
  • 13