I am seeking the strongest security measure for people changing the IDs in the URL for comments, blogs, inbox etc...
Any suggestions?
views:
152answers:
6
+7
A:
Check the session permissions to see if they are allowed to perform the action?
If they're allowed to do it, then carry out the action. If not, then give them a 403.
Anon.
2009-12-07 20:11:13
+1 for the right answer. You can't put any information in your url that isn't completely visible to the enduser...The best you can do is try to obscure it. If you're security depends on other people not seeing through the obscurity, you've already failed. Authenticate the user, store that information, and use it to verify permissions.
Satanicpuppy
2009-12-07 20:48:15
+2
A:
I'd imagine that digitally signing the get requests and appending that to the URL would work.
Sign it with a private key known only to your application, and then hash the GET variables and provide a signature in a &sig=blahblahblah.
That would probably work, but I don't really understand the need for protecting the GET variables. If designed properly, it really shouldn't matter what the GET variables are. A properly designed app shouldn't allow user GET variables to do anything damaging.
Crowe T. Robot
2009-12-07 20:12:01
+3
A:
If it's just an ID (numeric, I guess), all you have to do is validate it as an integer:
$id = (int) $_GET['id'];
Then you can query your database. You will get empty return sets when the ID does not exist and when it is invalid (because $id will be 0 in that case).
Franz
2009-12-07 20:12:10
(int) casts the value to an integer, it doesn't validate it. If someone enters "23a312" you get 23.
preinheimer
2009-12-07 20:29:48
+1
A:
maybe you find phpsec.org guide to php security, chapter 2, form processing interesting.
The MYYN
2009-12-07 20:12:53
+2
A:
First of all, do not rely on $_GET for critical information. Always double-check whether the user has permission to view that comment id, blog id, whatever. As for ID filtering - simple intval() will help (but don't forget to handle 0's also)
Deniss Kozlovs
2009-12-07 20:13:11
+4
A:
Validating the data you get is a great idea, if you're expecting digit, make sure you get digits.
if(isset($_GET['id']) && ctype_digit($_GET['id']))
{
$id = $_GET['id'];
}else
{
$id = 0;
}
If your concern is people changing urls to see things, like requesting image 44 when you only wanted to show them image 42 you've got a few options:
- Include various checks on the page to ensure the user has the appropriate permission to use the item.
- Hash the item in the url to make items immutable.
- Don't use sequential numbers, use random numbers or hashes.
preinheimer
2009-12-07 20:35:34
Ralph The Mouf
2009-12-08 16:35:11
Adding the ctype_digit() check will ensure that the user has only entered digits.The user can still change what is in the url (for example, changing a 44 to a 45). This check will not catch that kind of modification.
preinheimer
2009-12-08 16:56:34