sessions gone wild

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • DavidPr
    New Member
    • Mar 2007
    • 155
    #1

    sessions gone wild

    I start sessions on all pages with:
    Code:
    ob_start();
session_start();
    at the top of the page before anything else.

    When I login these sessions are set:
    Code:
    $query = "SELECT *
FROM users
WHERE (email='$e' AND pass=SHA('$p'))
AND active IS NULL";
$result = mysql_query ($query);
if (@mysql_num_rows($result) == 1) {
$row = mysql_fetch_array ($result, MYSQL_NUM);
$_SESSION['user_id'] = $row[0];
$_SESSION['display_name'] = $row[3];

// Start defining the URL.
$url = './../members/main.php';

ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit();
}
    OK, I'm logged in. It's a recipe website and I migrate to a page that has a list of Beef recipes. I click on one and on the page displaying the recipe it shows the person who submitted the recipe's display name, e.g. Martha

    Next to Martha's name is a link that says Click Here to see all my recipes. Here's the link:
    Code:
    <a href='all_user_recipes.php?file=$user_id'>Click Here</a>
    To display the recipe a query is ran that pulls the recipe from the recipes table: recipe_id, c_id, user_id, recipe_title, ingredients, directions, notes, viewed, r_allow, submitted

    The user_id is set in the users table when the person registered. The user_id is entered into most of the tables on this website.

    Here's where things get screwy.

    When I click on the link to see all of Martha's recipes, a query is ran that pulls all the recipes from the database that correlates with Martha's user_id. At the same time - my session is now populated with Martha's information. At the top of the screen where it used to say Hello, David P (my display_name, which was set in a session when I log in) --- now says, "Hello, Martha". When I go to the user Control Panel it is Martha's account that I'm in. I can change her password and delete all her recipes if I had a mind to.

    I can change from Martha to someone else just by clicking on the link to see all of their recipes. It's as if the page variable ($user_id) is changing the session variable ($_SESSION['user_id']).

    My server uses PHP Version 4.4.9

    On the same page that displays the recipe along with the link to see all that person's recipes, is a link that allows me to add that recipe to my "favorite recipes box". This is just a table (favorite_recip es) that has 2 rows - recipe_id and user_id.

    How it is suppose to work is that when I click on the "Add to Favorite Recipe Box" a page opens that takes my user_id ($_SESSION['user_id']) and that recipe's recipe_id ($recipe_id) and inserts it into the favorite_recipe table and gives me a happy message saying it's been added:
    Code:
    $recipe_id = $_GET['recipe_id'];
$query = "INSERT INTO favorite_recipes (user_id, recipe_id)
VALUES ('".$_SESSION['user_id']."', '$recipe_id')";
$result = mysql_query($query);
if ($result) {
echo "Hurray! The recipe is added!";
} else {
echo "Too Bad. Recipe not added.";
}
    What actually happens is that the recipe owner's user_id is entered instead of my session user_id and it changes my current session ($_SESSION['user_id']) and ($_SESSION['display_name']) - be it me or the person who I viewed all their recipes -- to the person whose recipe I just saved in my favorite recipe box. I am now them and when I go to the control panel I am in their account and once again can do mischief if I've a mind to.

    So, it seems that whenever I click on a link my session changes. I don't get this. Any ideas?
    Tags: None
    • Atli
      Recognized Expert Expert
      • Nov 2006
      • 5062
      #2
      Hey.

      None of the code you posted looks like it is causing this, and I can't spot anything that could be.

      Are there any global includes in your PHP files? Something that could be interfering with the sessions?

      Try searching all the files involved for "$_SESSION['user_id'] =". Just in case there was a copy/paste malfunction, or something like that.

      Also, a couple of things you should consider.
      • Using the SHA function inside a MySQL query is inadvisable. Under certain circumstances the MySQL server may log the raw query, which would then contain the plain-text password. Kind of defeats the purpose of the whole thing.
        It's better to use PHP to hash things and pass the hashes into the queries.
      • Your "Add recipe" code is wide open to SQL Injection.
        Always use the mysql_real_esca pe_string function on data before inserting it into a MySQL query. In the case of numbers, the intval and floatval functions can also be used.
      • My server uses PHP Version 4.4.9
        A fan of antiques, are you? :P

        Comment

        • DavidPr
          New Member
          • Mar 2007
          • 155
          #3
          When you say SQL Injection I guess you're referring to this:
          Code:
          $recipe_id = $_GET['recipe_id'];
          I changed to this:
          Code:
          $recipe_id = escape_data($_GET['recipe_id']);
$user_id = escape_data($_SESSION['user_id']);

$query = "INSERT INTO favorite_recipes (user_id, recipe_id) VALUES ('$user_id', '$recipe_id')";
          I have an escape_data function in my database connection include that handles mysql_real_esca pe_string.

          I thought I read someplace that a page variable $user_id could change the session user_id when passed through the address bar such as with this:
          Code:
          <a href='see_all_user_recipes.php?file=$user_id'>SEE ALL</a>
          Is this possible or no?

          I don't see any buggered up session user_id's on any of the pages. The session system I'm using is the one found in Larry Ulman's book Chp13.

          I'm not sure how I would implement the PHP hash that you spoke of. I'll have to read up on that.

          No matter what link I click on, my session information changes to someone else. Even this:
          Code:
          <a href='see_list.php?file=$c_id'>$c_name</a>
          c_id and c_name is the recipe category id and name. I click on this and I'm suddenly someone else.

            Comment

            • DavidPr
              New Member
              • Mar 2007
              • 155
              #4
              See any reason why this would not display even though the session user_id is set and the recipe_id hasn't been added already? I have the user_id echo-ed above this script (as a test) to make sure that it is set and it is. I can't figure out why it isn't working.

              Code:
              if (isset($_SESSION['user_id']))
{

include('dbconnect.php');

$query = "SELECT recipe_id
FROM favorite_recipes
WHERE favorite_user_id='" . $_SESSION['user_id'] . "'";
$result = mysql_query ($query);

// Make sure this user hasn't already added this recipe to their favorites
if (mysql_num_rows($result) == 0)
{

while($row = mysql_fetch_array($result))
{
$recipe_id = $row['recipe_id'];

echo "
<tr><td>
<a href='add_favorite.php?recipe_id=$recipe_id'>Add to Favorites</a>
</td></tr>
";
}
}
}

                Comment

                • DavidPr
                  New Member
                  • Mar 2007
                  • 155
                  #5
                  OK, I found the problem with that which I posted above. The query should have been this:
                  Code:
                  $query = "SELECT recipe_id
FROM favorite_recipes
WHERE favorite_user_id='" . $_SESSION['user_id'] . "'
AND recipe_id='$recipe_id'";
$result = mysql_query ($query);
                  What this query was doing was checking to see if the user had already added this recipe into their favorites. If so, this section was to be ignored. If they had not, then show this section and give the user the option of adding it to their favorites folder. I failed to check it against the recipe_id of the current recipe.

                    Comment

                    Previous template Next
                    Working...