Hacked, how to protect the site?

U

UniCoom2020-01-20 18:47:34

PHP

UniCoom, 2020-01-20 18:47:34

Hello! The site has a function with which the admin panel is protected. (Redirecting the user if the rights are less than required)

function rights($rights){
global $http;
global $user;
if($user['rights'] < $rights) {
header('Location: '.$http.$_SERVER['SERVER_NAME']); exit;
}}

$user_id = isset($_COOKIE['uid']) ? fl($_COOKIE['uid']) : '';
$password = isset($_COOKIE['password']) ? fl($_COOKIE['password']) : '';

if($user_id && $password) {
$user = $base -> query('SELECT * FROM `users` WHERE `id` = "'.$user_id.'" AND `password` = "'.$password.'"') -> fetch_assoc();
} else {$user = false;}

This feature is somehow bypassed. Suggest solutions

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

M

Marat Nagayev, 2020-01-20
@UniCoom

You have sql injection in your code. Instructions on how to avoid them: habr php.net

F

FanatPHP, 2020-01-20
@FanatPHP

The option with SQL injection looks romantic, of course, but I would assume that in this shit code it is still simpler - $rights is not defined, and therefore the check does not work if $user is set to a value.

S

SagePtr, 2020-01-20
@SagePtr

if ($user['rights'] < $rights)
How should this work if $user = false ?
Most likely, due to an error, this condition is simply accepted as false, and your check passes.
UPD: Still returns true, but I would not recommend relying on implicit type conversions, especially since PHP 7.4 this generates a Notice, and in future versions it may one day be removed.

F

flekst, 2020-01-30
@flekst

SQL-inj in plain sight
The simplest cookie with Will break the check by commenting out the rest of the query. The solutions have already been noted - don't use unfiltered data, validate it.
uid = "uid[админа]'; --"