Security failure (PHP, JS, API, MYSQL)

Asked

Viewed 168 times

0

I made a site with login, registration and etc. I validated the login and registration with POST method, the site is on the server and everything, but when I put the link of the url already inside the page it loads. Is it some mistake I might have made or is it "normal"?

LOGIN

<form name="formulario" id="formEnvia" action="valida.php" method="POST">

                        <label >CPF*</label>

                        <input type="text" id="cpf" name="cpf" class="form-control input-lg" placeholder="000.000.000-00" maxlength="14" pattern="\d{3}\.\d{3}\.\d{3}-\d{2}"
  title="Digite o CPF no formato nnn.nnn.nnn-nn" required />
                <br>
                        <label inputemail>E-mail*:</label>
                        <input type="email" id="inputEmail" name="inputEmail" class="form-control input-lg " placeholder="[email protected]" maxlength="50" required/>

                        <br>
                        <button type="submit" onclick="valida_envio()" class="btn btn-primary btn-lg btn-block">
                            <span class="glyphicon glyphicon-ok"></span>
                            Acessar</button>

                    </form>

LOGIN VALIDATION:

<?php


require_once "conexao.php";

$email = $_POST['inputEmail'];
$cpf = $_POST['cpf'];

$query = "SELECT * FROM usuarios WHERE cpf = '$cpf' AND email = '$email'";

$querySelect = mysqli_query($conn,$query);

if(mysqli_num_rows($querySelect) <=0){
    echo"<script type='text/javascript'>alert('Email ou cpf incorretos.');window.location.href='index.html';</script>";
    die();
}else if(mysqli_num_rows($querySelect) > 0 ){
    setcookie("login", $cpf);
    header("Location:Postagem.html");
}
  • What do you mean? You take a url without going through the login and it goes in? That’s it?

  • Exactly!!! I put the url and even without login it enters the site

  • 2

    Hmmmm, so there really is a security flaw. Are you validating if there is a Session to allow entry to the site? How are you logging in? If possible, edit your post and enter the code.

  • 1

    Yes. I did the validation with PHP to get the mysql bd. I also did a registration to insert the data in the bd, and all with post method

  • Show, but like, how are you validating if a user has logged in? From what I understand, you have already done the validation to see if there is a user in the bank, right? But that won’t stop someone from calling the internal url without logging in and logging in. What you need to do is validate if the user has logged in using Session. That’s why I wanted to see your login code, to see what you did and if you need to add something...

  • Ready. I edited the question and put the codes, if you can take a look...

  • Relax, I’ll edit the answers...

  • 1

    But pera ae... the page Postagem.html has some access restriction?

  • No... how can I do that?

  • One thing, if you’re dealing with php, you don’t use html, you use the file. php that you will be much more malleable when implementing some code, because you will be able to use the language codes according to the need

Show 5 more comments

2 answers

1

According to the code, you are missing to use Session and validate on the page if Session exists, and if it exists, you allow the user to pass.

NT: You need to startar a Session first of all in order to be able to set the values using this method session_start(). That is, go to your first php file that is called and put that method there.

NT2: I recommend reading about Sessions, About access restriction in PHP

Example:

Whereas it is the first page (login.php)

<?php
    session_start();
?>

    <form name="formulario" id="formEnvia" action="valida.php" method="POST">

                    <label >CPF*</label>

                    <input type="text" id="cpf" name="cpf" class="form-control input-lg" placeholder="000.000.000-00" maxlength="14" pattern="\d{3}\.\d{3}\.\d{3}-\d{2}"
                            title="Digite o CPF no formato nnn.nnn.nnn-nn" required />
                    <br>
                    <label inputemail>E-mail*:</label>
                    <input type="email" id="inputEmail" name="inputEmail" class="form-control input-lg " placeholder="[email protected]" maxlength="50" required/>

                    <br>
                    <button type="submit" onclick="valida_envio()" class="btn btn-primary btn-lg btn-block">
                        <span class="glyphicon glyphicon-ok"></span>
                        Acessar</button>
    </form>

Whereas you have already requested the post and passed the data

        <?php

        require_once "conexao.php";

        $email = $_POST['inputEmail'];
        $cpf = $_POST['cpf'];

        $query = "SELECT * FROM usuarios WHERE cpf = '$cpf' AND email = '$email'";

        $querySelect = mysqli_query($conn,$query);

        if(mysqli_num_rows($querySelect) <=0){
            echo"<script type='text/javascript'>alert('Email ou cpf 
                 incorretos.');window.location.href='index.html';</script>";
            die();
        }
        else if(mysqli_num_rows($querySelect) > 0 ){//aqui você ta redirecionando pra página postagem, certo?                

            //editado
            //setando os valores nas sessions
            //NT: você precisa startar a session antes de tudo,
            $_SESSION["email "] = $email;
            $_SESSION["cpf "] = $cpf;

            //setcookie("login", $cpf);

            header("Location:Postagem.php");//depois de mudar

        }

Whereas you are on the page Postagem.php

         <?php
             //isset verifica se a variável existe
             if(isset($_SESSION['email']) && isset($_SESSION['cpf'])) {
         ?>
                    //conteudo da página aqui
                    <h1>página postagem</h1>

         <?php
              }
              else {
                   //redirecionar pra página login se não existir session
                   header('Location: index.php');
              }

0

I managed to solve it like this:

Connecting to the database:

<?php

$conn = new mysqli("localhost", "root", "", "portal");

if ($conn->connect_error) {
    die("Falha ao conectar!, Motivo: " . $conn->connect_error);
}

Validating login:

  <?php

if(isset($_REQUEST['valida'])){
  $cpf = $_REQUEST['cpf'];
  $email = $_REQUEST['email'];

  $query = "SELECT * FROM usuarios WHERE cpf = '$cpf' AND email = '$email'";

         $querySelect = mysqli_query($conn,$query);

         if(mysqli_num_rows($querySelect) == 0){
             echo "Erro ao logar";
         }else {

           $_SESSION['cpf'] = $cpf;
           $_SESSION['email'] = $email;
         header("Location:postagem.php");
       }
}

My page index (login):

I start with : <?php session_start(); include 'config/conexao.php'; ?>

This is the directory where I saved my connection to the comic.

And at the end of the code I put :

<?php include 'config/valida.php' ?> That’s where I saved the codes I logged in.

On my website page I start with:

<?php session_start(); ?>

<?php

if (!isset($_SESSION['cpf']) && (!isset($_SESSION['email']))) {
  header("Location: ../index.php");
}

 ?>

Right after the tag <body> I put:

<?php

                   $secao_cpf = $_SESSION['cpf'];
                   $secao_email   = $_SESSION['email'];

                  ?>

And right after the "out" button I put:

<?php
                               if (isset($_REQUEST['sair'])) {
                                 session_destroy();
                                 header ("Location:index.php");
                               }
                              ?>

So no one can enter the site directly through the link, only those who log in correctly.

  • 2

    Sorry, but I have to warn you, your code is not safe, the way this does not seem to validate the 'session', outside that there is no escape in mysql

  • Strange...whenever I put the direct link to the homepage it does not go, it keeps going back to login. escape? Could you explain me? I’m a comic book buff

  • So Nazera, has many problems in his solution, there is no way with a comment I explain, but I intend to formulate an answer as soon as possible explaining the details and suggesting.

  • That’s right. I’m waiting for your answer

Browser other questions tagged

You are not signed in. Login or sign up in order to post.