-1

So after my incident last night with the Upwork freelancer I hired sending me some suspicious code, I decided to look through some things.

I wasn't familiar with the login process, but learned that he used md5.

After doing some research, both on here and other sites, I decided to switch the process to bcrypt.

I found a step-by-step resource here I verified that the password is posting to the database correctly.

My login form uses newlogin_check.php to verify the login, but upon submitting the login form, it directs to newlogin_check.php as a blank page.

Here's the code for newlogin_check.php -- just not sure where the error is.

<?php

    include("ajax/db_connection.php");

    if(isset($_POST['submit'])){
        $username = $_POST['username'];
        $password = $_POST['password'];

        $query = "SELECT * FROM logins where userid='$username'";
        $result = mysqli_query($con, $query);
        $numRows = mysqli_num_rows($rs);

        if($numRows == 1) {
            $row == mysqli_fetch_assoc($result);
            if (password_verify($password, $row['password'])) {
                    session_start();
                    $_SESSION["username"] = $row['firstName'].' '.$row['lastName'];
                    $_SESSION["userid"]= $row['userid'];
                $_SESSION["role"] = $row['userType'];
                if($_SESSION["role"]=="RF")
                        header("Location: ref_status.php?uid=".$row['userid']);
                    else
                        header("Location: referral.php");
            }
            else {
            header("Location: index.php?errLogin=1");
            }   
        }
    }
?>

Edit: db_connection.php file per request

<?php

// Connection variables
$host = "localhost"; // MySQL host name eg. localhost
$user = "USERNAME"; // MySQL user. eg. root ( if your on localserver)
$password = "PASSWORD"; // MySQL user password  
$database = "DATABASE"; // MySQL Database name

// Connect to MySQL Database
$con = new mysqli($host, $user, $password, $database);

// Check connection
if ($con->connect_error) {
    die("Connection failed: " . $con->connect_error);
}

?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
mike437
  • 77
  • 1
  • 8
  • A blank page may indicate an error, please check your error logs or enable errors display. – Spoody Apr 07 '18 at 21:24
  • 3
    You also need to look into [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Apr 07 '18 at 21:24
  • I do hope you didn't pay the author of this – RiggsFolly Apr 07 '18 at 21:25
  • It is also safest to do your `session_start();` right after the ` – RiggsFolly Apr 07 '18 at 21:26
  • 1
    Also, I just checked the article you mentioned, don't you ever read anything from that website as they obviously don't know a thing about security. – Spoody Apr 07 '18 at 21:27
  • I just (maybe 2-3 weeks ago) started messing with PHP/SQL. I can usually read code pretty well and understand it enough to duplicate it where I need, but I tend to miss some semi-colons or quotes when I have an error. I certainly don't know anything about SQL injection or prepared parameterized statements, and a lot of those articles are a little over my head. But I'll definitely stay away from that site -- just figured anything would be more secure than what I have now. – mike437 Apr 07 '18 at 21:32
  • Agree with @MehdiBounya Avoid that website its dangerous – RiggsFolly Apr 07 '18 at 21:32
  • Can you show us the contents of `ajax/db_connection.php` Change any passwords just to be safe – RiggsFolly Apr 07 '18 at 21:33
  • @RiggsFolly I paid the author of the original page, but it was relatively inexpensive -- I guess you get what you pay for. I'll add the db_connection to the original post, but I have it on all my other pages without any issues. – mike437 Apr 07 '18 at 21:35
  • Ok so add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. – RiggsFolly Apr 07 '18 at 21:38
  • @mike437 I really appreciate your concern about security and it's the right thing to do! if you are unsure about what to do to make your code secure you can start by checking [PHP the right way](http://www.phptherightway.com/) and [The 2018 Guide to Building Secure PHP Software](https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software) – Spoody Apr 07 '18 at 21:38
  • @MehdiBounya Thanks for the resources. I'll definitely check them out. – mike437 Apr 07 '18 at 21:41
  • @RiggsFolly I added those to the db_connection but still getting a blank page – mike437 Apr 07 '18 at 21:41
  • Before `if(isset($_POST['submit'])){` add `var_dump($_POST);` and see if you still have a blank page. – Spoody Apr 07 '18 at 21:42
  • @MehdiBounya `array(3) { ["username"]=> string(10) "nnewtest56" ["password"]=> string(10) "nnewtest56" ["Submit"]=> string(5) "Login" } ` – mike437 Apr 07 '18 at 21:43

1 Answers1

0

The problem is you are checking for submit but you have Submit instead (uppercase S), array keys are Case Sensitive.

Which means

if(isset($_POST['submit'])){

Must be

if(isset($_POST['Submit'])){
Spoody
  • 2,852
  • 1
  • 26
  • 36
  • Thank you :) I figured it would be something silly. Now I'm running into some variable issues, so I'm gonna go investigate those (already found one). Then I'll be looking into those resources you gave me. I appreciate it! – mike437 Apr 07 '18 at 21:49
  • @mike437 Glad I helped, check [PHP & Case Sensitivity](https://stackoverflow.com/a/33273959/2595450) for more details. – Spoody Apr 07 '18 at 21:50