The essence of the problem: if you enter the left username and password, it simply enters the site under that username and gives out a cookie, if you enter the correct username and the wrong password, everything works OK. Why is the cookie issued when entering the wrong login ???

if (isset($_POST['enter'])) { $connect = mysqli_connect ("localhost","root","","my_bd"); mysqli_query($connect ," SET NAMES 'utf8' "); if (!$connect) { mysqli_error(); } $enter_login = $_POST['enter_login']; $enter_pswd = (int) $_POST['enter_pswd']; $sql = mysqli_query($connect, " SELECT * FROM users WHERE login = '$enter_login' "); $user_data = mysqli_fetch_array($sql); if ((int) $user_data['password'] == $enter_pswd) { setcookie('user',$enter_login,time()+36000); header("Location: /myblog/"); exit; } else { echo "<script>alert(\"Неверный логин или пароль.\");</script>"; } mysqli_close($connect); } 
  • with such protection, I know the name of an arbitrary user, I can enter a cookie in the request and log in, perhaps? You did not mislead cookies with sessions? - teran
  • You would try to figure out what your code does. Why do you convert passwords to integer ( (int) )? - neluzhin
  • everything works crookedly for you just because of the above cast to int . When you cast a text string to an integer, you get a value of 0. And you get this value both times, and then compare two zeros, eventually getting identical equality. - teran
  • and the old cookie was deleted? - Yura Petrov
  • When I entered the login correct and the password was not correct, it gave me an error that the password entered was not correct, I didn’t have any problems with it)) I don’t understand why it turns out so that when I enter the left login I have a cookie on it? Can you explain it to me? Cook was old I deleted a button that sends the same cookie to the browser only with a time value of -3600. - user225682

2 answers 2

By the way, I recently wrote a similar authorization check:

 session_start(); if (!isset($_SESSION['isUserCorrect'])) { $_SESSION['isUserCorrect'] = FALSE; } if ($_SESSION['isUserCorrect']) { echo json_encode('redirect'); } else { $login = mysql_real_escape_string(strtolower($_POST['login'])); $password = mysql_real_escape_string(md5($_POST['password'])); $tmp_conn = new mysqli(Model::$host, Model::$username, Model::$password, Model::$dbname); if ($result = $tmp_conn->query("SELECT Login, Password FROM User WHERE Login = '$login' AND Password = '$password'")) { if ($result->num_rows > 0) { $_SESSION['userLogin'] = $_POST['login']; $_SESSION['isUserCorrect'] = TRUE; echo json_encode('true'); } else { $_SESSION['isUserCorrect'] = FALSE; echo json_encode('false'); } } else { $_SESSION['isUserCorrect'] = FALSE; echo json_encode('false'); } $tmp_conn->close(); } 

$ result gets a mysqli_result object in which you can check for rows returned by the database.
If more than 0, then there is a user with such a login and password, otherwise it is incorrect, in js I process all this, but I think it is not difficult to make my own manipulations in a php script.

  • what will happen if you specify the string qwe' or id = 1 # or '; delete from user; # '; delete from user; # '; delete from user; # ? - teran
  • @teran thanks, for some reason I thought that htmlspecialchars will do all the work;) - Ep1demic
  • and I actually looked at something that you had some kind of processing going on before substitution into the request. - teran
  • @teran, yes, there were htmlspecialchars there, but he didn’t seem to do much (although I thought differently 17 minutes ago) - Ep1demic
  • it replaces the single quote when the ENT_QUOTES flag is ENT_QUOTES - teran

Essentially the question asked. Cook is set for the following reason.

When executing the following code,

 $enter_pswd = (int) $_POST['enter_pswd']; 

after casting the transferred password to the int type, the value of the $enter_pswd variable becomes zero, since your password apparently contains not only numeric characters.

Further in the same way you select a password from the database, and again convert it to the int type. Receiving again the value of 0 . The next stage you compare two zero values, and of course you get the result true .

This explains why the cookie will appear when entering an incorrect password. I note that in the case when your password contains only the digits of the cookie will not be issued. In general, it is not required to bring the password to the int type, and it is not clear why you are doing this.

Further a few notes regarding your code:

  1. Substituting the login directly into the body of the SQL query opens a direct path to code injection. Imagine that someone will write the string xxxx' union select 1 as id, 'admin' as login, 123 as password; # xxxx' union select 1 as id, 'admin' as login, 123 as password; #

As a result, your request to verify the user will look like this:

 SELECT * FROM users WHERE login = 'xxxx' union select 1 as id, 'admin' as login, 123 as password; #' 

that paired with the password 123 will lead to successful authorization. In other cases, if it is possible to specify, as a login, for example, qwe'; delete from users; # qwe'; delete from users; # qwe'; delete from users; # in the result of which the contents of the user table will be deleted. In the same way it turns out and add a new entry to the table with a small selection of field names.

  1. Do not store passwords in the database in the clear. The password hashes should be stored, for example, the simplest md5() .
  2. The sign of user authorization should obviously be indicated not in the cookie, but in the session. Because the first are openly transmitted between the client and the server, and no one bothers the user to enter there with their hands, correcting the request headers in the browser.
  • I was told the password in sha1 () to throw, does it make any difference? - Yura Petrov
  • Well, I will give the password with md5 and check if I’ll use a session instead of cookies. But when I entered the login correct and the password was not correct, it gave me an error that the password entered was not correct, I didn’t have any problems with this)) Can you explain it to me? You are welcome. - user225682
  • @ user225682 that is, you are given an alert that the password is incorrect, and at the same time the cookie is issued? - teran
  • No, if the login is correct and the password is not correct, the cookie is not issued, it simply shows an error, and if the login is not correct, then the cookie is issued to this login. I have now organized everything through the sessions and it works perfectly, it’s just interesting how it happened. - user225682
  • Just use the session so everyone does it - Yura Petrov