Search code examples
phpmysqlvariablesurlvariables

Using a get variable from URL to do a MYSQL Query

I am using a post variable and i am attempting to use a get variable from the url to login a user.

Here is the process:

Users get their own url, i.e kayden.domain.com

and when they create their own account they have their username and pass

When they come to kayden.domain.com they use those credentials.

To verify, i am checking the post variables (username and password) and trying to use $_GET['user_group'] to verify.

The script works when i just use the post variables, but when it comes to GET it doesn't work. Below is the code:

PHP:

    $SUBDOMAIN = mysql_real_escape_string($_GET['user_group']);


      // Process the POST variables
         $username = $_SESSION["user_name"];
       //$password = $_POST["password"];


        // Set up the session variables
       $_SESSION["user_name"] = $username;


         $secret = $info['password'];

            //Checks if there is a login cookie

          if(isset($_COOKIE['ID_my_site']))


       //if there is, it logs you in and directes you to the members page

        { 
        $username = $_COOKIE['ID_my_site']; 

       $pass = $_COOKIE['Key_my_site'];

       $check = mysql_query("SELECT user_name, password FROM accounts WHERE user_name = '$username' and user_group='$user_group'")or die(mysql_error());

    while($info = mysql_fetch_array( $check )) 



      {

      if (@ $info['password'] != $pass) 
       {

          }

        else

       {

             header("Location: members.php");



       }

      }

     }


          //if the login form is submitted 

      if (isset($_POST['submit'])) { // if form has been submitted



          // makes sure they filled it in

          if(!$_POST['user_name'] | !$_POST['password']) {

            die('You did not fill in a required field.');

        }

          // checks it against the database



        if (!get_magic_quotes_gpc()) {

        $_POST['user_name'] = addslashes($_POST['user_name']);
       $_GET['user_group'] = addslashes($_GET['user_group']);

         }

        $check = mysql_query("SELECT user_name,password FROM accounts WHERE user_name = '".$_POST['user_name']."' and user_group='".$_GET['user_group']."'")or die(mysql_error());



          //Gives error if user dosen't exist

           $check2 = mysql_num_rows($check);

       if ($check2 == 0) {

           die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');

      }

            while($info = mysql_fetch_array( $check ))  

         {

       $_POST['password'] = md5($_POST['password']);
        $_POST['password'] = $_POST['password'];



      //gives error if the password is wrong



        if (@ $_POST['password'] != $info['password']) {

        die('Incorrect password, please try again');


        }

          else 

        { 


            // if login is ok then we add a cookie 

          $_POST['user_name'] = stripslashes($_POST['user_name']); 

           $hour = time() + 3600; 

             setcookie(ID_my_site, $_POST['user_name'], $hour); 

             setcookie(Key_my_site, $_POST['password'], $hour);  



          //then redirect them to the members area 

         header("Location: members.php"); 

          } 

             } 

           } 

      else 

       {  



          // if they are not logged in 

     ?> 

       <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

          <table border="0"> 

       <tr><td colspan=2><h1>Login</h1></td></tr> 

        <tr><td>username:</td><td> 

          <input type="text" name="user_name" maxlength="40"> 

          </td></tr> 

           <tr><td>Password:</td><td> 

           <input type="password" name="password" maxlength="50"> 

           </td></tr> 

           <tr><td colspan="2" align="right"> 

               <input type="submit" name="submit" value="Login"> 

           </td></tr> 

          </table> 

           </form> 


    <?php 

       } 



       ?>
Solution

  • Two tier answer:

    Part 1

    You can use the PHP $_REQUEST variable to obtain the details from both GET (Query string), POST and COOKIE.

    For example:

    $ugData = $_REQUEST['user_group'];
$unData = $_REQUEST['user_name'];

    More information on this can be found here:

    http://php.net/manual/en/reserved.variables.request.php

    Part 2

    This line in your code:

    $check = mysql_query("SELECT user_name,password FROM accounts WHERE user_name = '".$_POST['user_name']."' and user_group='".$_GET['user_group']."'")or die(mysql_error());

    Is vunerable to SQL injection, a malicious user could craft a request that contains a user_group or user_name value that contains additional SQL and your script will execute it without question.

    You should always validate any external inputs as you cannot trust that it will always contain what you expect.

    More information regarding this can be found:

    http://php.net/manual/en/security.database.sql-injection.php http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php

    A quick example of how to combat this is:

    $ugData = mysql_real_escape_string($_REQUEST['user_group']);
$unData = mysql_real_escape_string($_REQUEST['user_name']);

    This would escaped the $_REQUEST inputs and therefore stop anybody who has crafted a malicious request. It does not however validate that the given user_group / user_name are valid values.