Fix database and php security problem

Navigation
0

I am new here and I have a problem with my page, it turns out that it has user registration, session and administrator, if I enter with my admin account, I can delete or edit users, the problem is that, when entering admin, it appears a section called "Users" where I enter and I see the list of registered users, but I copy the URL ( link ) that section and enter without my admin account, I can enter without being banned from entering and delete everything I want, I really do not know what to add or modify to solve the security error. 

    <?php
@$_COOKIE['aux_d'];

if(@$_COOKIE['aux_d'] == 2)
{
include_once("libreria/persona.php");

$datos = new Persona();
$persona = new Persona();

include_once("menu_bs.php");

$operacion = '';

$nombre = '';
$apellido = '';
$sexo = '';
$dni = '';
$carrera = '';
$telefono='';
$email='';
$user='';
$rol='';

if (!empty($_POST)) {
    $operacion = isset($_GET['operacion']) ? $_GET['operacion'] : 'alta' ;
    if ($operacion == 'alta' && !isset($_GET['id_pers'])){
        $persona->nombre=$_POST['txtNombre'];
        $persona->apellido=$_POST['txtApellido'];
        $persona->sexo=$_POST['txtSexo'];
        $persona->dni=$_POST['txtDni'];
        $persona->carrera=$_POST['txtCarrera'];
        $persona->telefono=$_POST['txtTelefono'];
        $persona->email=$_POST['txtEmail'];
        $persona->user=$_POST['txtUser'];
        $persona->rol=$_POST['txtRol'];
        if($_POST['txtPass'] != "" && $_POST['txtPass1'] != "" && ($_POST['txtPass'] == $_POST['txtPass1'])){
          $persona->passwd=$_POST['txtPass'];
        }
        else{
        $persona->passwd="";
        }           
        $persona->guardar();
    }
    if ($operacion == 'actualizar' && isset($_GET['id_pers'])){
        echo '2-actualizar';
        $persona->nombre=$_POST['txtNombre'];
        $persona->apellido=$_POST['txtApellido'];
        $persona->sexo=$_POST['txtSexo'];
        $persona->dni=$_POST['txtDni'];
        $persona->carrera=$_POST['txtCarrera'];
        $persona->telefono=$_POST['txtTelefono'];
        $persona->email=$_POST['txtEmail'];
        $persona->user=$_POST['txtUser'];
        $persona->rol=$_POST['txtRol'];
        if($_POST['txtPass'] != "" && $_POST['txtPass1'] != "" && ($_POST['txtPass'] == $_POST['txtPass1'])){
          $persona->passwd=$_POST['txtPass'];
        }
        else{
          $persona->passwd="";
        }       
        $persona->actualizar($_GET['id_pers']);
        header("Location: ".$_SERVER['PHP_SELF']);
    }
    if ($operacion == 'borrar' && isset($_GET['id_pers'])){
        $persona->borrar($_GET['id_pers']);
    }
    if ($operacion == 'edicion' && isset($_GET['id_usuario'])) {
        $id_usuario = $_GET['id_usuario'];
        $datos=Persona::traer_datos($id_usuario);
        $nombre = $datos['nombre'];
        $apellido = $datos['apellido'];
        $sexo = $datos['sexo'];
        $dni = $datos['dni'];
        $carrera = $datos['carrera'];
    } 
}
?>
<script src="bootstrap/js/funciones_p.js"></script> 
<div class="container-fluid">
   <nav class="navbar navbar-default " role="navigation" >  
      <ul class="nav navbar-nav" style="padding-top: 10px;padding-bottom: 0px;">
      <span style="padding-right: 20px;font-weight: bold;">Usuarios</span>
      <button type="button" class="btn btn-primary  btn-sm"   onclick="cargar('#capa_d','alta_p.php')">Alta</button>
      </ul>        
      <ul class="nav navbar-nav" style="padding-top: 10px;padding-bottom: 0px;">
        <input type="text"  id="txt_b" placeholder="Buscar" style="position: absolute;right: 100px;" >
        <button type="button" id="btn_b" class="btn btn-primary btn-sm" style="position: absolute;right: 20px;">Buscar</button>
      </ul>     
     </div>  
   </nav>
 </div>

<div class="row">
  <div class="col-sm-6">
  <div id="capa_d">
  </div>
  </div>
  <div class="col-sm-6">
  <div id="capa_L"> 
        </div>
</div>
</div>
</body>
</html>
<?php
}else{echo 'Usted no tiene permitido el acceso a esta seccion';}
?>

Thank you very much. And excuse me, it's my first time that I put together a page like that.

    
asked by Booker 20.05.2018 в 20:02
source

2 answers

1

If you store in session the type of user that is, you can put the following code in your page abm_p.php: 

if($_SESSION['tipo_usuario']!='admin'){
    echo 'Usted no tiene permitido el acceso a esta seccion';
    die;
}
    
answered by 20.05.2018 / 20:10
source
0

Auxiliate of option header location

The following script must be placed on all the pages that you need to protect from restricted logins

ABOUT HEADER LOCATION

  

Header location will send the HTTP headers in the same way I'll clarify   which is better than the URL to which you are going to redirect the user of   preference is absolute for all browsers the   interpret in the correct way

As follows 

if($_SESSION['tipo_usuario']!='admin'){
    header('Location: http://web.com/login.php');
}

It is used die so that immediately that the session is validated does not correspond the execution of the script is killed

  

With header location, what we do is pass the URL of the page that   We will show the user once it is validated that the session does not   is the one indicated for a specific user

    
answered by 20.05.2018 в 20:13
pass value from a java class to a jsp Cycle for in Ionic view?