paulonline2501 Posted July 17, 2013 Share Posted July 17, 2013 (edited) hi, so my problem is: i have a web page that produces a list [ul]. the list is the list of ftp sites that belong to a specific user in the database example: select * from user_ftps where user_id = 'x' great! that works fine. in this case i get three sites back belonging to the user. perfect. i also put a hyper link with a 'get' in the output so the user can click edit and edit the site they want. like so: if (mysql_num_rows($result) > 0) { while(list($db_id, $db_user_id, $db_name) = mysql_fetch_row($result)) { echo "<li>$db_name [<a href="ftps/edit?id=$db_id">edit</a>]</li>"; } } the problem is, using this method the user can alter the id in the url to the number of another user and see all their ftp sites. "Use Post with a hidden value" i hear you say. but if i do that i'll need to create a button for each 'edit' link. i think. not really a problem i surpose. but i want to know if there is a better way i can do this or if i'm just approching this in the wrong way and should be using a different method. regards, paul Edited July 17, 2013 by as_bold_as_love Link to comment Share on other sites More sharing options...
justsomeguy Posted July 17, 2013 Share Posted July 17, 2013 The three ways to pass data are through post, get, and cookies. If you don't want to show the ID then you can encrypt it and then decrypt it to figure out what they clicked on. Link to comment Share on other sites More sharing options...
paulonline2501 Posted July 18, 2013 Author Share Posted July 18, 2013 ok, thanks. i guess then what i will do is for each result that is return from the database i will put a form in the <li> with a hidden field and just a submit button. ....actually that wont be good either because the id will be visable in the html.... ....i know what ill do. ill use 'get' [this will mean i dont have to use a lot of buttons/forms] and ill pass a token compraising user_id, ftp_id, and a random generated string [possibly encrypted]. then other users wont be able to tamper with the url. does that sound ok? can you think of any improvements??? Link to comment Share on other sites More sharing options...
thescientist Posted July 18, 2013 Share Posted July 18, 2013 why not SESSION? This way you can use POST, and check to make sure the user is also logged in. Link to comment Share on other sites More sharing options...
paulonline2501 Posted July 18, 2013 Author Share Posted July 18, 2013 hi thescientist, im not sure what you mean? i do have various SESSION variables that i set when the user logs in etc. one of which is the SESSION[id] which i use in the SQL to work out which of the user_ftps is associate to the user. select *from user_ftpswhere id = session[id] but how does this help me in terms of creating a link to the edit page with the id of the ftp i want to edit? Link to comment Share on other sites More sharing options...
justsomeguy Posted July 18, 2013 Share Posted July 18, 2013 Just out of curiosity, why is it bad if they change the ID in the URL? Link to comment Share on other sites More sharing options...
paulonline2501 Posted July 18, 2013 Author Share Posted July 18, 2013 The problem is that it is the id of an FTP. There are numerous users all with there own FTPs. Therefore it would be a easy for a user to change the URL to the id of an FTP that doesn't belong to them and see the details. This most be a very common issue. You have items in your database. You have a page that shows the details of this item using a parameter such as id to indicate the specific item. And the need to restrict viewing access based on the user having ownership of the item. Link to comment Share on other sites More sharing options...
paulonline2501 Posted July 18, 2013 Author Share Posted July 18, 2013 (edited) Actual thescientist I see what you mean now. I can simply say something like Select * from user_ftps where id = $_get[id]and user_id = SESSION[user_id]So simply when u think about it.Thanks a lot both of you Edited July 18, 2013 by as_bold_as_love Link to comment Share on other sites More sharing options...
justsomeguy Posted July 18, 2013 Share Posted July 18, 2013 Therefore it would be a easy for a user to change the URL to the id of an FTP that doesn't belong to them and see the details. You're trying to solve that problem the wrong way. Security has 2 major issues: authentication, and authorization, and you need both. Right now you have authentication, but you don't have authorization. Authentication means logging in, that's when a user enters their username and password and they authenticate themselves with your site, now your site knows who they are. Authorization is making sure that a given authenticated user is only allowed to do the things that the user has permission for. Your page that displays the FTP site or whatever needs to get the FTP ID, get the user ID, and authorize that user to access that FTP. Then it doesn't matter what ID they put in, if they don't have permission then they get an error message. This happens more often than you would think, where people implement authentication only and think that's enough. There was a story a year or so ago where that issue was found on a major bank site. Someone logged in and noticed that the URL had their credit card number in it, so they changed the number and, sure enough, it pulled up the details for that account without bothering to check if the user had permission. The fix is not to hide or encrypt the ID, the fix is to add authorization checking. 2 Link to comment Share on other sites More sharing options...
paulonline2501 Posted July 18, 2013 Author Share Posted July 18, 2013 Yeah thanks justseguy.As you said, I already have a login. This sets SESSION variables to logged in and sets the user id - I didn't really mention it before because its so obvious to me. I think this with the SQL check that I posted previously ill be able to check as you have just suggested. I think I'll go a step further and instead of using the id ill set up a token comprising id, ftp_id and random string and use that in the 'get'. That would add a level of complexity that would mean guessing the URL would be time consuming and a SESSION hack would have to be done. Link to comment Share on other sites More sharing options...
justsomeguy Posted July 18, 2013 Share Posted July 18, 2013 I don't even worry about trying to hide the ID, I just always check if the given user has permission to access the given item. A permission system for most applications is as necessary as a login system. Security requires both authentication and authorization, those aren't optional. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now