problem with security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
beginner123
Forum Commoner
Posts: 70
Joined: Fri Feb 24, 2012 9:56 am

problem with security

Post by beginner123 »

i am creating a website that sells products and i have just finished adding a log in function.
So certain pages are only available if you log in but if you enter the url of the page you can see it without logging in.
I know i can solve this problem be adding this code:

Code: Select all

if(isset($_SESSION['signed_in']) != true)
{
	//the user is not signed in
	echo 'Sorry, you have to be <a href="/musicwebsite/signin.php">signed in</a> to view this page.';
}
else
{

//rest of code
}
but my problem is i have mixed php with html so adding the above code is a bit difficult because the page still displays any html code.
is there anyway to solve this or will i have to convert all html code to php?

here is an example of a page with php and html:

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" />
<title>Products</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>

<div id="main_container">

	<div id="header">
    <div class="logo">
    <a href="index.php"><img src="images/logo.gif" alt="" title="" border="0" /></a>
    </div>
    
    </div>
    
<?php 

@$db = new mysqli( 'localhost', 'root', "", 'k00127082'); 

if (mysqli_connect_errno()) { 
echo 'error connecting to db'; 
exit; 
} 

$query = "SELECT * from products"; 

$result = $db->query($query);

$num_results = $result->num_rows; 

//echo 'Number of products found : <strong>' . $num_results . '</strong><br><br>'; 

?>      
<div id="userbar">
                <?php
                include 'userbar.php';
                ?>
           </div>
 	      
            
    <div id="main_content">
    
    	<div class="center_content">
        
            <div id="menu_tab">                                     
                   <ul class="menu">                                                                            
                         <li><a href="index.php" class="nav"> home </a></li>
                         
                         <?php 
						
							if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 0)
							{ 
								echo "<a class=\"nav\" href=\"/musicwebsite/about.php\">about us</a> 
								<a class=\"nav_selected\" href=\"/musicwebsite/products.php\">products</a> 
								<a class=\"nav\" href=\"/musicwebsite/contact.php\">contact us</a>"; 
							}
							
							if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 1)
							{ 
								echo "<a class=\"nav\" href=\"/musicwebsite/about.php\">about us</a> 
								<a class=\"nav_selected\" href=\"/musicwebsite/products.php\">products</a> 
								<a class=\"nav\" href=\"/musicwebsite/contact.php\">contact us</a>
								<a class=\"nav\" href=\"/musicwebsite/managesite.php\">manage site</a> "; 
							}
						?> 
               
                    </ul>
            </div> 
            
       
            <div class="categories_products">
            		<div class="title">
            		  <p><img src="images/title_products.gif" alt="" title="" />		
            		  
            		  <form action ='search.php' method='post'>
            		    Search for product:<input type ="text" name="term" />
                       price:<select name="secondterm" id="secondterm">
                        <option value="100">1-200</option>
                        <option value="300">200-400</option>
                        <option value="700">500-800</option>
                        <option value="900">800-1000</option>
                        <option value="1000">1000-2000</option>
                        </select>
                        
            		    <input type="submit" name="submit" value="Search" />
          		    </form>
<div class="prod_box">

                        <div class="prod_details">
           
                            <table width="650" border="2">

                                <tr> 
                              <!--  <th>Product Number</th> -->
                                <th>Product Description</th> 
                              <!-- <th>Quantity On Hand</th> -->
                                <th>Price</th> 
                                <th>Image</th>
                                <?php 
                                if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 1)
								{ 
										echo "
                                			 <th>UPDATE</th>
                                 			 <th>DELETE</th> ";
								}
								?>							
                                </tr>
                            
                           <?php 
								for ($i=0; $i < $num_results; $i++)
								{ 
								
									$row = $result->fetch_object(); 
									
									$propID = $row->id;
									$product_name = $row->product_name; 
									$product_description = $row->product_description; 
									$quantity_on_hand = $row->quantity_on_hand; 
									$price = $row->price; 
									$image = $row->image; 
									$formattedPrice = number_format($price, 2, '.', ','); 
								
									echo '<tr>'; 
									echo "<td>$product_description</td>"; 
									echo "<td>€$formattedPrice</td>"; 
									echo "<td><a href='datadrilldown.php?propID=$propID'><img src='images/$image'/></td>"; 
									
									
									
                                if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 1)
								{ 

									echo "<td><a href='updateform.php?propID=$propID'>Update Product</a></td>"; 
									echo "<td><a href='deleteform.php?propID=$propID'>Delete Product</a></td>"; 
									echo '<tr>'; 
								}
								
								} 
								
								echo '</table>'; 
								
								//$result->free(); 
								$db->close(); 
							?> 
                            
                                               
                        </div>                    
                    </div> 
        
             <div class="clear"></div>       
            </div>
   
        </div>
           
    </div>
    
    <div id="footer">
        <div class="left_footer"><img src="images/footer_logo.gif" alt="" title="" /></div>
        <div class="right_footer"><a href="http://csscreme.com/freecsstemplates/" title="free css templates"><img src="images/csscreme.gif" alt="free css templates" border="0" /></a></div>
    </div>

</div>
</body>
</html>
thanks
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: problem with security

Post by Christopher »

There are a couple of ways to handle this. You could wrap the whole page in a big if. Or you could include a header file that does the access check and if not allowed displays the alternate content and exits. You may want to look into the Front Controller pattern as well.
(#10850)
beginner123
Forum Commoner
Posts: 70
Joined: Fri Feb 24, 2012 9:56 am

Re: problem with security

Post by beginner123 »

already tired the big if but having the html and php in the one page is causing the problem. The if statement won't work with html code in the middle.
The same thing happens with a header file
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: problem with security

Post by califdon »

beginner123 wrote:already tired the big if but having the html and php in the one page is causing the problem. The if statement won't work with html code in the middle.
The same thing happens with a header file
Yes it will. The php logic works just fine with html, like this:

Code: Select all

<body>
This will always be included in the output.
<?php
if(date("N")==1) {
?>
   Today is Monday!
<?php
}
?>
   Some more html . . .
Try it!
beginner123
Forum Commoner
Posts: 70
Joined: Fri Feb 24, 2012 9:56 am

Re: problem with security

Post by beginner123 »

yes I understand that but it will still display the HTML stuff because I can't include it in the php tags
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: problem with security

Post by califdon »

beginner123 wrote:yes I understand that but it will still display the HTML stuff because I can't include it in the php tags
What do you mean, you can't include it within the php tags? Why not? That's a very common way to accomplish such a task.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: problem with security

Post by Christopher »

califdon is correct. You can control what HTML will display with PHP control structures:

Code: Select all

<?php
if ($var) {
?>
<p>This will display if var is true.</p>
<?php
} else {
?>
<p>This will display if var is false.</p>
<?php
}
?>
(#10850)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: problem with security

Post by Mordred »

An even easier method is to include a file before everything else:

Code: Select all

<?php
$logged_in = ... //do the check
if (!$logged_in) {
  header('Location: http://yoursite.com');
  die(); //this bit is important, otherwise the rest of the code will get executed as well.
}
?>
But as Christopher said, a Front Controller will simplify your life a great deal: among other benefits it will give you a single entry point before which you can make your login checks.
Post Reply