[RESOLVED] members area

rutin

I am building members area for my site.
i have a problem which i cant solve, so here i am.

when user is logged in, in user panel i have an option to change password other personal info.

the problem is: once user is registered, hre can chnage his data as well as data of other users !!!

Is there any way that i could prevent this ?
how to protect data of other users ?

code for login script:


<?php include("theader.php"); ?>
<?php
$timeoutseconds = 1000; // length of gaps in the count

//get the time
$timestamp = time(); 
$timeout = $timestamp-$timeoutseconds; 



  $sql = "select * from users where login = '$login' and password = '$password'"; 
  $result = mysql_query($sql ,$db); 

  if ($myrow = mysql_fetch_array($result)) { 


     do { 

        $uid = $myrow["userid"]; 
        $uname = $myrow["login"]; 

     } while ($myrow = mysql_fetch_array($result)); 

     $loggedin = true; 
     $upwd = $password; 
     $msg = "Welcome $uname, logged in.  <a href=index.php>Click here</a> for return to main page."; 

//$query2 = "update users set  logged_in='Y'  where userid = $uid and password = '$upwd'"; 


$query2 = "update users set timestamp='$timestamp',logged_in='Y' where userid = $uid and password = '$upwd'"; 
$mysqlresult2 = mysql_query($query2); 



  } else { 
     $loggedin = false; 
     $upwd = ""; 
     $uid = ""; 
     $uname = ""; 
     $msg = "Error, user name and password arent correct. "; 


  } 

session_register("loggedin"); 
session_register("upwd"); 
session_register("uid"); 
session_register("uname");


?>

now my code to update users data is like this.

<?php include("theader.php"); ?>


<?php

if (isset($_POST['submit'])){

   $error = false;
   $errormessage = "";

   if (strlen($email) < 1) {
      $error = true;
      $errormessage .= "<li><b>Error.  No email.</b><br>\n";
   }

   if (strlen($login) < 1) {
      $error = true;
      $errormessage .= "<li><b>Error.  No login.</b><br>\n";
   }



   if (strlen($password) < 1) {
      $error = true;
      $errormessage .= "<li><b>Error.  No password.</b><br>\n";
   }

if ($error) {
      $errormessage .= "<br>Please fix this<br>\n";
      $msg = $errormessage;
   } else {


$query2 = "update users set email='$_POST[email]',login='$_POST[login]', password='$_POST[password]' where userid='$_GET[id]'";
$mysqlresult2 = mysql_query($query2);
   $loggedin = false;
   $upwd = "";
   $uid = "";
   $uname = "";
   $msg = "Data saved. To be logged in, enter new data\n";
  }
 }       

?>

<TD align="left" valign="top" >
  <table border="0" cellpadding="0" cellspacing="0" width="447">

    <tr>

      <td background="text/text_r2_c1.gif">&nbsp;</td>
      <td><span class="style1">
        <?
if (logincheck($uid, $upwd)) {    



// i think this is the line that is wrong, need to check user agains this 

$query = "Select * from  users where userid='$_GET[id]'";



$mysqlresult = mysql_query($query);
echo mysql_error();
echo "<span class=\"style1\">User settings</span>\n";
 while($row = mysql_fetch_array($mysqlresult)){

echo "<form action=update.php?id=$uid method=post > \n";
echo "<table border=0>\n";
echo "<tr><td><span class=\"style5\">Your email</span></td>\n";
echo "<td><input style=\"font-size: 10px; height: 16px\" size=\"60\" name='email' type='text'  size='80'  value='$row[email]' /></td></tr>\n";
echo "<tr><td><span class=\"style5\">login</span></td>\n";
echo "<td><input style=\"font-size: 10px; height: 16px\" size=\"60\" name='login' type='text'  size='80'  value='$row[login]' /></td></tr>\n";
echo "<tr><td><span class=\"style5\">password</span></td>\n";
echo "<td><input style=\"font-size: 10px; height: 16px\" size=\"60\" name='password' type='text'  size='80'  value='$row[password]' /></td></tr>\n";
echo "<tr><td colspan=2><input style=\"font-size: 9px; height: 19px\" type='submit' name='submit' value='Submit changes'></td></tr>\n";
echo "</table>\n";

}



} else {

  printf("<font size=2 face='Arial, Helvetica, sans-serif'><br>You will need to login</font>");

   }

?>

Can any1 help ?
Thanks

mrhappiness

don't pass the user's id via GET but store it inside $_SESSION

you use sessions, don't you?

BIOSTALL

Hi, i have just made a forum that enables the user to edit there own details. What i did was store their username in a session variable and when the user clicks the link, pass the username of whose details they are in the URL and then do something like:

$current_user = $SESSION['username'];
$viewing_user = $GET['userdetails'];

if ($current_user == $viewing_user) {
// Allow user to edit details
}else{
header("location: NotAllowed.php");
exit();
}

Something like that if that makes sense, lol

BIOSTALL

LoganK

What I usually do is store some unique info in the session, like a full name or e-mail. Then in the useredit.php I pass the ID through $_GET, and then run a SQL query to determine whether or not the ID and unique info match up. If so, then it's valid, otherwise, I put a message. That way, it ensures that users only edit themselves, plus those who try to be sneaky and change the ID get a warning message from me, and their account gets flagged!!! lol!!1!!one

laserlight

That way, it ensures that users only edit themselves, plus those who try to be sneaky and change the ID get a warning message from me, and their account gets flagged

There may be a security weakness in your choice of identification tokens - a user id is likely to be readily available to other users, and users may know say, the email address of a user with administrative privileges.

EDIT:
Just so the OP doesnt get confused: this doesnt apply to you if you're using sessions properly - the session id acts as an identification token in its own right, and unlike a user id + email address, this is less likely to be known to others (unless your users pass around links that contain their own session id, but this can be avoided by using session cookies).

LoganK

Sorry, the "lol!!1!!one" was supposed to signify that the entire paragraph was a joke. It was a bad attempt.

I use a more secure method, which I won't say because people will then hack it! What's "the OP"?

laserlight

I use a more secure method, which I won't say because people will then hack it!

Which probably means that it isnt much more secure since it depends on the secrecy of the method.

What's "the OP"?

Original Poster.

LoganK

laserlight wrote:
Which probably means that it isnt much more secure since it depends on the secrecy of the method.

I don't use security through obscurity - i.e., an unknown security type. I use one of the more common authentication methods, but since I don't divulge which one, people have a harder time figuring out what exploit to use against it. So it's a common method, but not advertised. Kind of a cross - so it is secure. I haven't had any break-ins to date! 😃

laserlight wrote:
Original Poster.

Allright, thanks for clearing that up!

rutin

Thank you guy for your help.
I have learned a lot from this post.

this how is have it know:

<?php 

if (isset($_POST['submit'])){ 

   $error = false; 
   $errormessage = ""; 

   if (strlen($email) < 1) { 
      $error = true; 
      $errormessage .= "<li><b>Error.  No email.</b><br>\n"; 
   } 

   if (strlen($login) < 1) { 
      $error = true; 
      $errormessage .= "<li><b>Error.  No login.</b><br>\n"; 
   } 



   if (strlen($password) < 1) { 
      $error = true; 
      $errormessage .= "<li><b>Error.  No password.</b><br>\n"; 
   } 

if ($error) { 
      $errormessage .= "<br>Please fix this<br>\n"; 
      $msg = $errormessage; 
   } else { 


$query2 = "update users set email='$_POST[email]',login='$_POST[login]', password='$_POST[password]' where userid='$_GET[id]'"; 
$mysqlresult2 = mysql_query($query2); 
   $loggedin = false; 
   $upwd = ""; 
   $uid = ""; 
   $uname = ""; 
   $msg = "Data saved. To be logged in, enter new data\n"; 
  } 
 }        

?> 

<TD align="left" valign="top" > 
  <table border="0" cellpadding="0" cellspacing="0" width="447"> 

    <tr> 

      <td background="text/text_r2_c1.gif">&nbsp;</td> 
      <td><span class="style1"> 
        <? 
if (logincheck($uid, $upwd)) {     

$current_user = $_SESSION['uid']; 
$viewing_user = $_GET['id']; 

if ($current_user == $viewing_user) { 
// Allow user to edit details 


// i think this is the line that is wrong, need to check user agains this 

$query = "Select * from  users where userid='$_GET[id]'"; 



$mysqlresult = mysql_query($query); 
echo mysql_error(); 
echo "<span class=\"style1\">User settings</span>\n"; 
 while($row = mysql_fetch_array($mysqlresult)){ 

echo "<form action=update.php?id=$uid method=post > \n"; 
echo "<table border=0>\n"; 
echo "<tr><td><span class=\"style5\">Your email</span></td>\n"; 
echo "<td><input style=\"font-size: 10px; height: 16px\" size=\"60\" name='email' type='text'  size='80'  value='$row[email]' /></td></tr>\n"; 
echo "<tr><td><span class=\"style5\">login</span></td>\n"; 
echo "<td><input style=\"font-size: 10px; height: 16px\" size=\"60\" name='login' type='text'  size='80'  value='$row[login]' /></td></tr>\n"; 
echo "<tr><td><span class=\"style5\">password</span></td>\n"; 
echo "<td><input style=\"font-size: 10px; height: 16px\" size=\"60\" name='password' type='text'  size='80'  value='$row[password]' /></td></tr>\n"; 
echo "<tr><td colspan=2><input style=\"font-size: 9px; height: 19px\" type='submit' name='submit' value='Submit changes'></td></tr>\n"; 
echo "</table>\n"; 

} 



} else { 

  printf("<font size=2 face='Arial, Helvetica, sans-serif'><br>You will need to login</font>"); 

   } 



}else{ 
header("location: index.php"); 
exit(); 
} 


?>

If i click in user panel to edit my data, its all there.
If i try to access data of other user, i get the message, You will need to login.
Close down browser and try to access id, i am redirected to index.php.

I am using session. Its registered in this way:

session_register("loggedin");  

    session_register("upwd");  

    session_register("uid");  

    session_register("uname");

Can this be considered solved ?
Thanks

LoganK

To the best of my knowledge, session_register is depracated.

Just assign the variables directly - $_SESSION['username'] = $user; etc.

rutin

thanks

LoganK

You're welcome. Glad it could be resolved!