Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I believe I'm having sessioncheck issues. I'm not really a php person, or a database person so I can't be sure. We had a website built for us, and got screwed so I am left to figure things out on my own. I'm now down to 2 issues. One being this sessioncheck thing. when I go to ligin to our admin area the login screen comes up and I enter the username and password. then it says "You are not AUTHORIZED to view this page." I did a code serch in all the php files and found that phrase in the sessioncheck.php file. this is what my code looks like.
<?php
session_start();
ob_start();
if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
{
echo "You are not AUTHORIZED to view this page.";
//Header("Location:index.php");
exit;
}
/*
include_once('../business/clsmaintenance.php');
$Maintenance = new Maintenance();
if($Maintenance->CheckSchedule())
{
$Maintenance->DoMaintenance();
}
*/
if(!(session_is_registered($_SESSION["sesadmin"])))
{
Header("Location:index.php");
exit;
}
?>
If anyone can help me that would help a lot because I'm pretty lost. I know what the session check is supposed to do I just don't know how to fix the problem. Thanks in advance for any help or knowlege passed my way.
Jcart wrote:Did you switch domains or transfer this code from a development server to live server?
No but we did switch from one live server to another live server, which I'm pretty sure is the problem. I actually have the site running on one server perfectly fine, but on the server I switched it to it doesn't work. I thought maybe it had something to do with the string of numbers on line 4 'd8c068d81fd577ee1ed71222f87c4953' but I'm not sure.
As for the rest of the responses I thank you, but like I said I don't know php so I'm pretty lost to all of what was said.
For you I am explaining again, this expects the address of the server when hashed using md5 algorithm should yield 'd8c068d81fd577ee1ed71222f87c4953', which won't happen since you have changed server.
What you have to do now is, run a separate file, find md5("your_new_server_address") and assume that value as
val_md5...
val_md5 = md5($_SERVER['SERVER_ADDR']); //note down this value and go to the original file and replace the if statement like...
if(strtolower(md5($_SERVER['SERVER_ADDR']))!= val_md5)//the val_md5 is the value I asked you to note down
For you I am explaining again, this expects the address of the server when hashed using md5 algorithm should yield 'd8c068d81fd577ee1ed71222f87c4953', which won't happen since you have changed server.
What you have to do now is, run a separate file, find md5("your_new_server_address") and assume that value as
val_md5...
val_md5 = md5($_SERVER['SERVER_ADDR']); //note down this value and go to the original file and replace the if statement like...
if(strtolower(md5($_SERVER['SERVER_ADDR']))!= val_md5)//the val_md5 is the value I asked you to note down
It's pretty obvious the author of that code didn't want that it would work on a different domain.
Simply removing the if block would make the problem go away.
timvw wrote:It's pretty obvious the author of that code didn't want that it would work on a different domain.
Simply removing the if block would make the problem go away.
Is that going to mess anything else on the site? like normal users not admin users and or shopping cart?
actually I just did a search in the source code for all my php files and md5 is attached to a ton of files so I know I need to find the md5 for my server somehow. Any ideas?
Thanks for all the help.
md5 as said, is an hashing algorithm to hash passwords and other data.
What you have to do is, use the inbuilt function of PHP, md5() and run this function with your server name as input and substitute this value in the if statement.
raghavan20 wrote:use the inbuilt function of PHP, md5() and run this function with your server name as input and substitute this value in the if statement.
I know you must think I'm a retard, but could you explain how to go about doing that. I've been trying to research it on php website but I'm not really finding anything I understand
That will give you the md5 value you need to replace.
raghavan20 - as the manual says, session_is_registered is not to be used if using the $_SESSION superglobal, use isset($_SESSION['var']) instead.
you are my GODs thank you all for your help! It worked! I'm SOOOOO greatful. Now if only I could fix the one last problem I am having with my damn directories. If anyone is willing to help me with that problem I can explain it.
/*
if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
{
echo "You are not AUTHORIZED to view this page.";
//Header("Location:index.php");
exit;
}
*/
Might even consider to completely delete those lines.