Authentication/Sessions/Security Loop Hole

Shauna

I've created a script for employees to go in and edit their contact information. The script is accessed after logging in with the proper authentication and establishing a session. However, there seems to be a security loop-hole. After logging in, if the employee knew enough they could easily just change the URL and edit other employees' contact information. How can I alter my code so that the authentication is good only for the URL authenticated for?

Here is what I'm using for the login:

<?
session_start();

    if($action=="logout")
    {
            session_destroy();
            $message = "You have successfully logged off.";
    }
    if(isset($submit))

    {
                    $SQL = "SELECT username, password, id FROM employees WHERE username = '$username' AND password = '$password'";
            mysql_connect("localhost","xxx","xxx");
					$server = "localhost"; 
$user = "xxx";					$pass = "xxx"; 					$database = "xxx"; 
					$connection = mysql_connect($server, $user, $pass);
                    mysql_select_db("cu_editx");
                    $result = mysql_query($SQL);


                    if(mysql_num_rows($result)>0)
                    {

                            $row = mysql_fetch_array($result);
                            $myname = $row["username"];
                            session_register("myname");
                            header("location: edit.php?id=$row[id]");
                    }
                    else
                    {
                            $action = "fail";
                            $message = "Your USERNAME/PASSWORD is incorrect.";
                    }

mysql_close($connection);
}

?>
<div align="center">
<p> </p>
<form name="login" action=index.php method=post>
<table width="100%" border="0" cellspacing="0" height="203">
<tr align="center">
<td height="240"> <br>
<br>
<? echo $message; ?>
<table width="40%" border="1" cellspacing="0" height="80" bordercolor="#0033CC">
<tr>
<td height="81">Username</td>
<td height="81">
<input type="text" name="username">
</td>
</tr>
<tr>
<td height="81">Password</td>
<td height="81">
<input type="password" name="password">
</td>
</tr>
</table>
<p>
<input type="submit" name="submit" value="Submit">
<br>
<br>
</p>
</td>
</tr>
</table>
</form>
<p> </p>
</div>

Here is what I'm using for the editor:

<?
session_start();

if(!isset($myname))

{

	header("location:index.php");

}

?>
<?

session_start();
$id = $_GET["id"];
$server = "xxx";
$user = "xxx";
$pass = "xxx";
$database = "xxx";

$connection = mysql_connect($server, $user, $pass);

mysql_select_db($database, $connection);

if (isset($submit))
{
$sql = "update employees
set
first = '$first',
last = '$last',
department = '$department',
title = '$title',
bio = '$bio',
extension = '$extension',
email = '$email',
bday = '$bday',
anniversary = '$anniversary',
homephone = '$homephone',
cellphone = '$cellphone',
pager = '$pager',
password = '$password'
WHERE id = $id";
$result = mysql_query($sql, $connection);
}

$sql = "SELECT * FROM employees WHERE id = '$id'";

$result = mysql_query($sql, $connection);

while ($row = mysql_fetch_array($result)) {MY_HTML_EDITING_FORM_HERE}
mysql_close($connection);
?>

malbera

register a session var with the username of the employe and use that var for your query
so it won't be able to access someone else's profile

Shauna

Originally posted by malbera
register a session var with the username of the employe and use that var for your query so it won't be able to access someone else's profile

At the risk of sounding a bit stupid, I'm not a programmer. I've put this together by looking at other code, and asking for help along the way. Can you please elaborate? I know you mean for me to do something with this (the myname var):

                    if(mysql_num_rows($result)>0)
                    {

                            $row = mysql_fetch_array($result);
                            $myname = $row["username"];
                            session_register("myname");
                            header("location: edit.php?id=$row[id]");
                    }

and this in the editing screen:

<?
session_start();

if(!isset($myname))

{

	header("location:index.php");

}

But I'm not exactly sure what to do. Right now my code is just checking to see if $myname is defined, right? Do I just need to set it equal to $username?? And how do I accomplish that in my session??

Thanks

wiley

in the login screen:

<?
session_start();

if($action=="logout")
{
session_destroy();
$message = "You have successfully logged off.";
}
if(isset($submit))

{
$SQL = "SELECT username, password, id FROM employees WHERE username = '$username' AND password = '$password'";
mysql_connect("localhost","xxx","xxx");
$server = "localhost";
$user = "xxx"; $pass = "xxx"; $database = "xxx";
$connection = mysql_connect($server, $user, $pass);
mysql_select_db("cu_editx");
$result = mysql_query($SQL);

if(mysql_num_rows($result)>0)
{

$row = mysql_fetch_array($result);
$myname = $row["username"];
session_register("myname");
$myid = $row["id"];
session_register("myid");
header("location: edit.php?id=$row[id]");
}
else
{
$action = "fail";
$message = "Your USERNAME/PASSWORD is incorrect.";
}
____________ . . . .

then, in the edit screen:

<?
session_start();

if((!isset($myname))&&($myid=="$id"))
{

header("location:index.php");

}

ELSE {
//kick them back to the login screen here
}
?>
<?

session_start();
$id = $GET["id"];
$server = "xxx";
_______________ . . .

I doubt this is foolproof, but at least it should prevent somebody from just changing the $id in the URL to gfo after somebody else's data . . . I think :-)

Cheers,
Dan

dancahill

after starting a session with session_start();, Then you register whichever variable you want as a session variable by session_register("varname");

When you want to call that session variable call:

$varname = HTTP_SESSION_VARS("varname");

then the script can use the variable.

On another note with URL encoded variables if you always stick to post methods on forms & _POST_VARS to call the variables the data will not be appended to the URL which it will be if you use GET.

Hope this helps.

Dan