how to secure my codes?

ouch_

Hi, I'm having some issues with security as i login i will be redirected to a main page based on querystring filtered to enable session to start. And with that i'm able to login again if i know the querystring. I'm thinking of using cookies now but again it doesnt seem secure if the person knows where to retrieve the file. I need advise.

I'm doing this as an e-commerce proj. Using dreamweaver+php/mysql to do it. Not very good with php codes but learning.

bodzan

...is to read this and then figure out what to do...

ouch_

ok i will read it. thanks. But if i was to deploy a page that has no restriction to access but upon login has certain features enable(E.g shopping cart) How would u suggest i code it? Using querystring or cookies? I was also wonder if there is a code something like:

if( undefined index is not true)
{
redirect to another page
}

And i do realise that i cant use two headers.

bodzan

...check whether certain session info is stored which can be stored only upon login (i.e. md5(username.secretword) as a sesion id) and if it exist I would show those features you need to show...
Something like:

if(isset($_SESSION['user']) && isset($_SESSION['sw'])){
     if($_SESION['sw']!=md5($_SESION['user'].$secretword)){
          header("Location:path/to/whatever.php");
     }
     else{
          //everything is cool
     }
}

But don't take my word for it read... Those guys have checked it all and may have the best advice for you on the matter...

And I don't know what you mean by that 'undefined index' but basically that is the way I figured in my idea...

ouch_

well actually i get this error if i force my querystring. So i was thinking of a way to grab undefined index and redirect it away.

Notice: Undefined index: MM_Username in c:\Inetpub\wwwroot\Ideaz\index.php on line 7

my index.php codes


if((isset($_GET['login'])) && ($_GET['login']=="true"))
{
//initialize the session
session_start();
$stat = $_SESSION['MM_Username'];
}
else
{
$stat = 'Guest';
}

// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  session_unregister('MM_Username');
  session_unregister('MM_UserGroup');

  $logoutGoTo = "index.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }

}

// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['uid'])) {
  $loginUsername=$_POST['uid'];
  $password=$_POST['pwd'];
  $MM_fldUserAuthorization = "level";
  $MM_redirectLoginSuccess = "../index.php?login=true";
  $MM_redirectLoginFailed = "login.php?login=failed";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_a, $a);

  $LoginRS__query=sprintf("SELECT uid, pwd, level FROM usertbl WHERE uid='%s' AND pwd='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 

  $LoginRS = mysql_query($LoginRS__query, $a) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {

$loginStrGroup  = mysql_result($LoginRS,0,'level');

//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;	      

//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}

So basically a user must go through login.php in order to turn his querystring to login=true and redirect to index.php. If someone knows the querystring he could easily enable a session by keying in the querystring login = true but he doesnt have a session name which will result in this error:

Notice: Undefined index: MM_Username in c:\Inetpub\wwwroot\Ideaz\index.php on line 7