'[PHP] Re: Basic Web Functionality - Security Question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-general
Subject:    [PHP] Re: Basic Web Functionality - Security Question
From:       80.177.120.119
Date:       2014-08-13 7:58:11
Message-ID: 50.A1.00877.E6A1BE35 () pb1 ! pair ! com
[Download RAW message or body]

"dealTek"  wrote in message
news:85277E2B-52F7-4ACA-903E-45D8CA44DC36@gmail.com...
>
>Hi all,
>
>Assuming the following:
>
>
>- in your database you are using serial numeric ID's
>- with php you do a search query to get a number of items - then you
>display the results in a loop on a web page list view.
>- then on each row you have an edit button for that item. Here, the link is
>something like: editpage.php?id=<?php echo $record->getField('item_id'); ?>
>- now when you click to the edit page - it will do another query to get all
>the item details and display an edit form - etc.
>
>
>Problem: In this case - anyone can simply change the url id=xxx to any
>other number and it will make the page search for another item record.
>
>
>Q: HOW can we lock this down so as to prevent the above scenario and it is
>a more secure system?
>
>BTW: One method that we can use is to have a second field such as a random
>number field in the table data - then search for both - which people will
>have a hard time guessing like this link: editpage.php?id=<?php echo
>$record->getField('item_id'); ?>&random=<?php echo
>$record->getField('randomnum); ?>
>
>ANY BETTER SUGGESTIONS to lock things down?
>
>
>--
>Thanks,
>Dave - DealTek
>dealtek@gmail.com
>[db-14]

My solution is not simple, but it's bulletproof.

(1) In the list/browse screen I store an array of primary keys which is
indexed by the row number in the current screen.
(2) This array is stored in the session data.
(3) The hyperlink contains the index number to the array, not the primary
key.
(4) When the hyperlink is used the scrip which is run accesses the array to
convert the index number to a primary key.

This means that I *NEVER* expose any primary key values in any URLs.

-- 
Tony Marston

www dot tonymarston.net 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic