security fixes

Author: kabushi

connect.php

@@ -18,7 +18,8 @@
     }
 
     // Connect to session
-    session_start(); 
+    session_start();
+    session_regenerate_id(true);
 
     // Check Login
     function logged_in() {

guestbook.php

@@ -1,5 +1,7 @@
 <?php
-
+echo '<pre>';
+var_dump($_SESSION);
+echo '</pre>';
 print('<div class="container">');
 print('<div class="row">
             <div class="col-lg-12 text-center">
@@ -13,13 +15,15 @@
 
 if(isset($_POST['entry']) && $_POST['entry'] != "") {
     $id = $_SESSION['userid'];
-    $entry = $_POST['entry'];
+    $entry =  filter_input(INPUT_POST, 'entry', FILTER_SANITIZE_SPECIAL_CHARS); //$_POST['entry'];
     $query = "select * from `users` where `id` = '$id' LIMIT 1";
     $result = $db->query($query);
     if ($row = $result->fetch_assoc()) {
         $username = $row['username'];
     }
-    $query = "INSERT INTO `guestbook` (`username`, `entry`) VALUES ('$username', '$entry');";
+
+
+    $query = "INSERT INTO `guestbook` (`username`, `entry`) VALUES ('" . $db->real_escape_string($username) . "', '" . $db->real_escape_string($entry) . "');";
     $result = $db->query($query);
     $db->commit();
     print('<div class="row">

index.php

@@ -1,8 +1,10 @@
 <?php
 
-echo("<html><head>");
 
 include "connect.php";
+
+
+echo("<html><head>");
 include "head.php";
 
 echo("</head><body>");
@@ -25,10 +27,10 @@
             <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
                 <ul class="nav navbar-nav">
                     <li>
-                        <a href="?site=guestbook.php">Guestbook</a>
+                        <a href="?site=guestbook">Guestbook</a>
                     </li>
                     <li>
-                        <a href="?site=login.php">Private</a>
+                        <a href="?site=login">Private</a>
                     </li>
                 </ul>
             </div>
@@ -37,8 +39,14 @@
         <!-- /.container -->
     </nav>');
 
-if (isset($_GET['site']) && $_GET['site'] != "") {
-    include $_GET['site'];
+$allowed_pages = [
+    'guestbook',
+    'login',
+    'logout'
+];
+
+if (isset($_GET['site']) && $_GET['site'] != "" && in_array( $_GET['site'], $allowed_pages) ) {
+        require $_GET['site'] . '.php';
 } else {
     $description = nl2br(file_get_contents("README.md"));
     echo('    <!-- Page Content -->

login.php

@@ -2,7 +2,8 @@
 
 function login($username, $password) {
     global $db;
-    $query = "select `id` from `users` where `username` = '$username' AND `password` = '$password'";
+    $query = "select `id` from `users` where `username` = '" . $db->real_escape_string($username) . "' AND `password` = '" . $db->real_escape_string($password) . "';";
+
     $result = $db->query($query);
     if ($result->num_rows > 0 && $row = $result->fetch_assoc()) {
         $_SESSION['logged_in'] = true;
@@ -32,7 +33,7 @@ function login($username, $password) {
                 <h1>Private Area</h1>
                 Hey ' . $username . '. Nice to have you here!
             <p>
-                <a class="btn btn-danger" href="?site=logout.php">Logout</a>
+                <a class="btn btn-danger" href="?site=logout">Logout</a>
             </p>
             </div>
         </div>

setup/setup.sh

@@ -2,5 +2,5 @@
 
 echo "Setting up database"
 mysql --user=che --password=che < create_db.sql
-
+rm create_db.sql
 echo "Finished..."