Since I'm not an Php programmer I have to ask you, I have to challenge to investigate some source which is currently under attack. Its some local news site with custom cms inside. Its phg mysql under shared linux hosting env.
admin is registered on entering credentials in login form and those credentials are checked in db like this:
<?php
session_start();
include 'db.php';
$connection = mysql_connect($dbHost, $dbUser, $dbPass) or die(mysql_error());
mysql_select_db($dbName, $connection) or die(mysql_error());
$queryString = "SELECT * FROM `Admins` WHERE `username` = '$user_name' AND password='$password'";
$safeSelect = mysql_real_escape_string($queryString);
$query = "SELECT * FROM `Admins`
WHERE `username` = '$user_name' AND password='$password'";
$result = mysql_query($query, $connection) or die('error making query');
$affected_rows = mysql_num_rows($result);
if($affected_rows == 1) {
//add the user to our session variables
$_SESSION['username'] = $user_name;
header("Location: http://www.mysite.com/admin/index.php");
exit;
//print 'allowed';
}
else {
print 'access is not allowed !!!';
}
?>
Auth.php
<?php
session_start();
include 'db.php';
if (empty($_SESSION['username'])) {
die('to access these page you have to be registered user.
<a href="/admin/login.php">log in</a>');
}
?>
This session var is used on whole administration area to recognize registered user. Admin user edits and creates new content like this edit.php
<?php
session_start();
include '/admin/db.php';
include '/admin/auth.php';
ini_set("display_errors", 1);
error_reporting(E_ALL);
$dbcnx = mysql_connect('localhost', $dbUser, $dbPass);
mysql_select_db($dbName);
if (isset($_POST['submit'])):
// content will be updated with these
$id = $_POST['id'];
$cats = $_POST['cats'];
$newstext = $_POST['newstext'];
$sql = "UPDATE `News` SET
`NewsText`='$newstext',
`AID`='$aid',
`imgID`='$imgID'
WHERE `ID`='$id'";
if (mysql_query($sql)) {
echo('<p><b>content is succ. updated</b></p>');
} else {
die('<p>Error occured when updating content: ' .
mysql_error() . '</p>');
}
else: // Allow user to edit content using ID=$id
/* $aid = $_GET['aid']; */
if (isset($_GET['id'])) {
if (is_numeric($_GET['id']) == FALSE) {
echo "<h1>Page is not found</h1>";
session_destroy();
return;
}
$id = $_GET['id'];
}
$row = @mysql_query("SELECT `NewsText`, `Title`, `AID`, `imgID` FROM `News` WHERE `ID`='$id'");
if (!$row) {
die('<p>Db error: ' .
mysql_error() . '</p>');
}
$row = mysql_fetch_array($row);
$newstext = $row['NewsText'];
$text = $row ['Title'];
$authid = $row ['AID'];
$imgID = $row ['imgID'];
$newstext = htmlspecialchars($newstext);
//ommitting html form
?>
Basically I want to ask is there some security issue here.
Found solution here http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/