How could I improve the security of this php code?

Question

I have created the PHP code:

<?php

  include("../config.php");

  if(!isset($_COOKIE["sessionid"])) {
      header("location:../error_pages/403.php");
  } else {
      $value = $_COOKIE["sessionid"];
      $query = "SELECT * FROM users WHERE sessionid = ?";

      $stmt = $conn->prepare($query);
      $stmt->bind_param("s",$value);
      $stmt->execute();
      $result = $stmt->get_result();

      $rowcount = $result->num_rows;
      if ($rowcount != 1 ) {
          header("location:../error_pages/403.php");
      } else {
          $file = "/path/to/file/";
          header('Content-Description: File Transfer');
          header('Content-Disposition: attachment; filename='.basename("File_Name"));
          ob_clean();
          flush();
          readfile($file);
      }
  };
?>

I'm wondering if there is a way the sessionid cookie could be manipulated to allow for SQL injection. As well as whether this download is secure. The file is not stored in a publicly accessible folder.

To prevent session stealing I'm serving the login page only over TLS, is there another method sessions could be stolen?

Answer 1

By using a query parameter, you're safe from SQL injection.

Your code might be vulnerable to session hijacking. Here are some tips and resources:

• Use TLS (https) for all requests, this defeats packet sniffers.
• http://phpsecurity.org/ has a free sample chapter about session management. Or get the whole book, it's good.
• What is the best way to prevent session hijacking?
• https://www.owasp.org/index.php/Session_Management_Cheat_Sheet