1

Is there any way a user can change the vaules of your code in php? Let's assume they have a full source code of my webpage.

// make the connection
$dbhost = 'localhost';
$dbuser = 'user';
$dbpass = 'password';
$db = "db";
$conn = new PDO("mysql:host=$dbhost;dbname=$db", $dbuser, $dbpass);
// set errors
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// get the data
$stmt = $conn->prepare("select username from usernames where " . $number . " = '$session'");
$stmt->execute();
$row = $stmt->fetch();
$username =  $row[0];

if ($username == "superuser") {
// code to view secure information and make changes to people accounts
}

Is there any way they can change their username to the "superuser"?

I am planning on being able to quickly view and edit people's account details for customer service options in the secure code part, so I don't want some random user being able to view and edit other users data.

Thanks

Improve this question
13
  • 5
    Where are $number and $session set? Commented Jul 22, 2015 at 0:53
  • Try viewing source in your browser with e.g. Ctrl-U. Do you see PHP code there? Commented Jul 22, 2015 at 0:53
  • See stackoverflow.com/questions/60174/…. You are open to SQL injections. Commented Jul 22, 2015 at 0:55
  • No their is no PHP code in the browser. The $session is in a cookie, but it is 50 char long so it is not guessable. It is basically like using sessions in php. I am just wondering if their is anyway someone can hack the $username variable Commented Jul 22, 2015 at 0:57
  • 1
    @Sherif - this is a good example ` usernames where " . $number . " = '$session'" ; ` that's insecure, as is ` usernames where " . $number . " = :sesson" ` any use of php $var inside sql should be avoided. Id put this in 1 -- and run it ;-) , then the query is this ` "select username from usernames where 1 --comments" ` Commented Jul 22, 2015 at 1:08

2 Answers 2

Reset to default
9

Id really suggest fixing your sql, just using PDO does not guarantee security, any use of php variables in the body of the sql should be avoided

"select username from usernames where " . $number . " = '$session'"

This is not secure either

 "select username from usernames where " . $number . " = :session"

What happens if $number becomes username = 'superuser' -- 

 "select username from usernames where username='superuser' -- = :session"

Anything after the -- is a comment in sql much like // in php. And suddenly I am a supperuser. Yea me, it can and does happen that easily.

This is the correct way,

 "select username from usernames where session_id = :session"

Not sure what $number is, the point is no php variable interpolation in the sql body. I hate to rail on ( no secretly I love it ) but it's essential to use PDO properly. I see code with the order by 'ASC' 'DESC' posted from a webpage and injected with no thought into PDO, and it's no more secure then MySQL old style, less even because they thought it was secure.

for example 

"select username from usernames where username=1 order by $order"

Think what happens if order is this

"Desc; Drop table usernames;"

You could filter the data with like an if then for example

if( strtoupper($_POST['order']) ==  'DESC' ){
      $order = 'DESC';
}else{
      $order = 'ASC';
}

But you have to be Extremely careful whenever you use a php variable in any form of sql. And it's generally best avoided. You'll notice in the above the user data never gets put in the sql, it is used only when evaluating the if condition.

Ok as for the actual problem at hand, I would separate the admin section completely, separate user table, separate session data, separate everything. There are a few reasons here, Most importantly is that you don't have to worry about admin functionality leaking over to a normal user account. It would be easier to be logged in as both an admin and a user if the login sessions are stored separately. You could make an admin link login as ( user ) for example without knowing their password. You can log admin actions without getting it polluted with user's data. You could have various levels of admin users, again with no worry that a normal user will gain access to this ability because they are separate. It's a big job to do it right.

or can I legitly build the superuser account so I can access the data from a account inside of my website

This doesn't mean to store their credit card numbers and then peek at them, but it's your site ( you can make it however you want ), so that is implied, there are limits of course, like someone comes over to your house you cant rob them or sell their personal information without them knowing etc.... They have a certain expectation of security, a certain expectation on how you handle purchase and billing information for example. But if it's for support or legitimate business reasons, that's just good customer support to see what they do ( with log in as type ability ). Now logging in as them and running their bill up is generally going to be frowned on, but you get the idea.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

One liner in php is actually // not.. `\\` .
@Spooky - so it is. I blame dyslexia on that one,
thanks @ArtisiticPhoenix so if I fix the mysql code their should be no way for someone to modify the $username. also what is your take on the whole customer support thing anyways, for now it is just going to be me, so is it more secure for me to just go through the .sql in the server, or can I legitly build the superuser account so I can access the data from a account inside of my website?
I would make a entirely separate admin system. Then you keep the seperation of the user and admin system. You may want levels of administration, and logging of what admin does what. Depending on your coding ability and/or how much money you have there are professional products that do that exact thing.
yes of course everything would be hashed for the sensitive stuff. Thanks for your help.Yes I think the separate functions would be better as well.
|
1

you could use filter_values() before passing the data to SQL statement.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.