0

I have the following login script, I have tried my best to make it secure but there is a guy who hacked my script and sent me an email that he was able to login, and he also sent me my database information like admin password etc.

login.php

<?
@session_start();
include("../global.inc.php");

if(isset($_POST['submit']))
{

    include("../classes/class.admin.php");  
    $objAdmin = new admin();
    $verifyAdmin=$objAdmin->verifyAdmin(mysql_real_escape_string($_POST['username']),(mysql_real_escape_string($_POST['password'])));


    if($verifyAdmin==1)
    {
        $_SESSION['my_admin']="admin";
        header("location:index.php");
    }
    else
    {
        $errMsg="Invalid Username or Password.";
    }
}
?>

<form name="frm" method="post" action="">
  <table width="300" border="0" cellspacing="0" cellpadding="0">

    <tr>
        <td class="blackheader" > Admin Panel</td>
      </tr>
    <tr>
        <td valign="top" class="adminborder"><table width="100%" border="0" cellspacing="0" cellpadding="0">
                                <tr>
        <td>&nbsp;</td>
        <td style="color:#FF0000; font-size:11px; font-family:Arial, Helvetica, sans-serif;"><?=$errMsg;?></td>
    </tr>
        <tr>
            <td width="31%" height="28" align="left" valign="middle" class="admintxt">Username:</td>
            <td><input type="text" name="username" class="txtfield1" size="28"></td>
        </tr>
        <tr>
            <td height="28" align="left" valign="middle" class="admintxt">Password:</td>
            <td><input type="password" name="password" class="txtfield1" size="28"></td>
        </tr>
        <tr>
            <td></td>
            <td height="22" align="left" valign="middle"><input type="submit" name="submit" value="Login" class="submit_button">

I have the following code in my header file to check if the user is logged in

<?php
session_start();
if(!isset($_SESSION['my_admin']))
{
    header("location: login.php");
}
?>

Below is the class to check admin login password

class admin extends dbClass
{
    function verifyAdmin($username, $password)
    {
        $select="select username,password from ".TABLE_ADMIN." where username='".$username."' and password='".$password."'";
        $query=$this->query($select,1);
        $numRows=count($query);

        return $numRows;
    }

}
Kevin
  • 53,822
  • 15
  • 101
  • 132
air
  • 6,136
  • 26
  • 93
  • 125
  • 1
    use a parameterised query, not string concatenation. – Mitch Wheat Nov 11 '12 at 07:49
  • 1
    Step back. This code is not the only possible attack vector. Read over the webserver logs, see if there actually are requests for the login page. [Log POST data](http://stackoverflow.com/questions/989967/best-way-to-log-post-data-in-apache) to see what data he's submitting. Log the activity in the application, analyze those logs. And listen to what everyone else said regarding parametrized queries. – DCoder Nov 11 '12 at 07:55
  • 1
    Good point. Since someone already compromisd your system, they may have installed backdoors. I'd format the hard drive personally. – Mitch Wheat Nov 11 '12 at 08:16
  • SQL injection! Read up on it. Check this link as well: http://php.net/manual/en/function.mysql-real-escape-string.php – Arjun Abhynav Nov 11 '12 at 09:07

2 Answers2

2
  1. Use parameterised statements to perform queries, to avoid SQL injection.
  2. Make sure this guy isn't actually accessing your server directly through some other security hole.
Chris Hayes
  • 11,471
  • 4
  • 32
  • 47
2

First, switch your code to PDO, and then use prepare/execute for your query. This should prevent injection.

Also make sure that your .htaccess is setup correctly to prevent access to your files.

Greeso
  • 7,544
  • 9
  • 51
  • 77