Script executing functions that shouldn't be

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Script executing functions that shouldn't be

Post by Chalks »

ok. I'm stumped again. I'm trying to create a "change my password" script. I want to force the user to have a password 6 characters long or greater, and they must put in the new password twice... and it has to match. However, if I turn off javascript, the user can change their password to something less than 6 characters long, and their two inputs don't have to match. Here's my validation script:

Code: Select all

<?php
if(session_id() == "")
  session_start();

require_once 'Sha256.class.php';
require_once 'StringInput.class.php';
error_reporting(E_ALL);

if(!isset($_SESSION['user']))
  header('Location: admin.php?log=out&res=1');
if(!isset($_POST['oldpass']))
  header('Location: admin.php');



if($_POST['tester']=="gargoyled")  //js was on and passed
  process($_POST['oldpass'], $_POST['newpass']);
elseif($_POST['tester']=="failed")  //js was on and failed
  header('Location: 1_adminedit.php?res=11');
elseif($_POST['tester']=="notnull")  //js was off
{
  echo "<br />should get here first";  //these echos are telling me what happens.
  preprocess($_POST['oldpass'], $_POST['newpass'], $_POST['newpass2']);
  echo "<br />hmm, why did I get here?";  //these echos are telling me what happens.
}

function preprocess($p1, $p2, $p3)
{
  if(strlen($p1)<6 || strlen($p2)<6 || $p2!=$p3)
  {
    echo "<br />should get here second";  //these echos are telling me what happens.
    badpass();
  }
  echo "<br />Why did I get into preprocess?";  //these echos are telling me what happens.

  $p1 = $p1 . $_SESSION['user'] . "56v2jxa9er73qse";
  $p1 = sha256($p1);

  $p2 = $p2 . $_SESSION['user'] . "56v2jxa9er73qse";
  $p2 = sha256($p2);

  $p3 = $p2;

  process($p1, $p2);
}
function sha256($p)
{
  $feyd = new Sha256v2();
  $p = $feyd->hash(new StringInput($p));
  return $p;
}

function process($p1, $p2)
{
  echo "<br />WHY did I get into process?";  //these echos are telling me what happens.
  $db=mysql_connect ("localhost", "barb_admin", "whoopsForgotToEditThisOut") or die(mysql_error());
  mysql_select_db ("barb_administration");

  $user = strtolower($_SESSION['user']);
  $p1 = mysql_real_escape_string($p1);
  $p2 = mysql_real_escape_string($p2);

//make sure user exists
  $sql = "SELECT * FROM auther WHERE name = '" . $user . "'";
  $data = mysql_fetch_array(mysql_query($sql));

  if(isset($data['password']) && $data['password']==$p1)
  {
    $sql = "UPDATE auther SET password='" . $p2 . "' WHERE name='" . $user . "'";
    mysql_query($sql) or die(mysql_error());
    mysql_close($db);
    header('Location: 1_adminedit.php?res=12');
  }
  else
  {
    badpass();
  }
  mysql_close($db);  //important
}

function badpass()
{
  echo "<br />Should get here last, and shouldn't get anywhere else";  //these echos are telling me what happens.
  header('Location: 1_adminedit.php?res=11');
}

?>
Obviously, since I put echos in, the header commands won't work. Here's the result when I run the script with the following values:
oldpass: myoldpass
newpass: lkj
newpass2: abc

password is changed to the hash of lkj (plus my salt).

here's what the screen shows:

Code: Select all

should get here first
should get here second
Should get here last, and shouldn't get anywhere else
Warning: Cannot modify header information - headers already sent by (output started at /home/barb/public_html/newdesign/1_cyp.php:22) in /home/barb/public_html/newdesign/1_cyp.php on line 84

Why did I get into preprocess?
WHY did I get into process?
Warning: Cannot modify header information - headers already sent by (output started at /home/barb/public_html/newdesign/1_cyp.php:22) in /home/barb/public_html/newdesign/1_cyp.php on line 72

Warning: mysql_close(): 7 is not a valid MySQL-Link resource in /home/barb/public_html/newdesign/1_cyp.php on line 78

hmm, why did I get here?
I think I understand why I got to the echo that says "hmm, why did I get here?", but I DON'T understand why I got into my prepocess() function, and my process() function. Could someone shed some light on this? Keep in mind, this only happens when I turn OFF javascript.
Thanks
Last edited by Chalks on Tue Nov 20, 2007 7:09 pm, edited 1 time in total.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Post by Chalks »

unstumped. I guess. If I put "exit;" after every header statement, the script works perfectly. However, I feel like I shouldn't be using "exit;" that often, and/or at all.

Any advice?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Chalks wrote:unstumped. I guess. If I put "exit;" after every header statement, the script works perfectly. However, I feel like I shouldn't be using "exit;" that often, and/or at all.

Any advice?
Typically, you should always exit() after a header('location: ..') .. unless you want to execute the rest of the script (probably not ;))
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

It's buggy for old passes that have quotes in them, and there might be an SQL injection, let's see your login script.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Post by Chalks »

Mordred wrote:It's buggy for old passes that have quotes in them, and there might be an SQL injection, let's see your login script.
Here ya go:

Code: Select all

<?php
/*
* validate.php
*  Called by admin.php, when login form is submitted (see below)
*/
if(session_id() == "")
  session_start();

require_once 'Sha256.class.php';
require_once 'StringInput.class.php';
error_reporting(E_ALL);

if(isset($_POST['pass']) && isset($_POST['user']) && $_POST['pass']!="" && $_POST['user']!="")  //if js on
  processing($_POST['user'], $_POST['pass']);
elseif(isset($_POST['password']) && isset($_POST['user']))  //if js off
  preProcessing($_POST['user'], $_POST['password']);
else
{
  header('Location: admin.php?res=12');
  exit;
}

function preProcessing($user, $pass)
{
  $matches[0] = null;
  preg_match_all("/[^a-z0-9]/i", $user, $matches, PREG_PATTERN_ORDER);
  if($matches[0]!=null || strlen($user)<6 || strlen($pass)<6 || strlen($user)>30)
    baduser();
  else
  {
    $user = strtolower($user);
    $pass = $pass . $user . "56v2jxa9er73qse";
    $pass = sha256($pass);
    processing($user, $pass);
  }
}
function sha256($p)
{
  $feyd = new Sha256v2();
  $p = $feyd->hash(new StringInput($p));
  return $p;
}

function processing($user, $pass)
{
  $db=mysql_connect ("localhost", "barb_admin", "whoopsForgotToEditThisOut") or die(mysql_error());
  mysql_select_db ("barb_administration");

  $user = strtolower($user);
  $user = mysql_real_escape_string($user);
  $pass = mysql_real_escape_string($pass);

//make sure user exists
  $sql = "SELECT * FROM auther WHERE name = '" . $user . "'";
  $data = mysql_fetch_array(mysql_query($sql));
  mysql_close($db);  //important

  if(isset($data['password']) && $data['password']==$pass)
  {
    $perms = $data['permissions'];
    gooduser($user, $perms);
  }
  else
    baduser();
}

function baduser()
{
  if(!isset($_SESSION['attempts']))
    $_SESSION['attempts'] = 1;
  else
    $_SESSION['attempts']++;

  header('Location: admin.php?res=11');
  exit;
}

function gooduser($user, $perms)
{
  $_SESSION['user'] = $user;
  $_SESSION['perms'] = $perms;
  header('Location: admin.php?res=13');
  exit;
}
?>
Admin.php:

Code: Select all

if(!isset($_SESSION['user']))  //if not logged in
{
?>
<noscript><p>WARNING:  You do not have javascript enabled.  This will create a security risk if you log in using the form below.</p></noscript>
<p>Welcome to the administration panel for Family Music Studio.<br /><br /><br />
<form action="validate.php" method="post" name="login">
Username:<br />
<input type="text" name="user" /><br />
<br />Password:<br />
<input type="password" name="password" /><br />
<input type="hidden" name="pass" value="" /><br />
<input value="Login" type="submit" onclick="loginj(this.form, this.form.password.value, this.form.user.value)" />
</form>
</p>
<?php
  if(isset($_SESSION['attempts']) && $_SESSION['attempts']>3)
    echo "I need to tell you that you've gotten the thing wrong 4 times now.<br />";  //will eventually ban ips for X minutes
}
?>

My test to see if javascript is enabled may not be the most efficient, but it works. I've tested it rigorously.
Post Reply