newbie: How to avoid URL hacks??

#1 (**permalink**) 01-28-2007

Hey

I'm developing a web site using PHP 5.2.0

Users of this web site can register and create their own profile. Each user
can also register their diary entries.. Here is the problem:
index.php?mode=diary&id=1, a user can hack this URL to get access to another
users diary -> then the user could modify the diary of another user, which
is something I want to avoid.

To avoid this I always make these checks on every web page
if (!empty($_GET["id"])) {
if (is_numeric($_GET["id"])) {
//Here again I make another check based on the id and the users id...,
if the resultset has a row, then this diary is registered on this user...

That's a lot of code, I feel the code get clumsy by all these if test etc,
but they are needed...

But isn't there a better way of doing this?

I've read about storing the id in the session, because the user cannot
modify whats in the session object... I've spent days (my free time)
thinking of how to implement that. On the left side of the web page, there
are a list of diarys the user has created, clicking on one of them open that
specific diary. But I don't know how accomplish this by using sesssion.
Because when the user clicks on the link, then the id must be stored on the
session object... and then again open the correct diary... (maybe this could
be done if the url was just a link to a function which put the id into the
session object and then opens the correct diary, I don't know how to call a
function from a link).... I cannot have the id in the link (GET) and in the
first few lines of php code in the web page put the id into the session
object... that is as bad as my original suggestion -> the user can modify
the url...

Any suggestions?

Jeff

#2 (**permalink**) 01-29-2007

In article <LcWdnYHH0PY3hSDYRVnzvA@telenor.com>, Jeff
<it_consultant1@hotmail.com.NOSPAM> wrote:

> Hey
>
> I'm developing a web site using PHP 5.2.0
>
> Users of this web site can register and create their own profile. Each user
> can also register their diary entries.. Here is the problem:
> index.php?mode=diary&id=1, a user can hack this URL to get access to another
> users diary -> then the user could modify the diary of another user, which
> is something I want to avoid.
>
> To avoid this I always make these checks on every web page
> if (!empty($_GET["id"])) {
> if (is_numeric($_GET["id"])) {
> //Here again I make another check based on the id and the users id...,
> if the resultset has a row, then this diary is registered on this user...
>
> That's a lot of code, I feel the code get clumsy by all these if test etc,
> but they are needed...
>
> But isn't there a better way of doing this?
>
> I've read about storing the id in the session, because the user cannot
> modify whats in the session object... I've spent days (my free time)
> thinking of how to implement that. On the left side of the web page, there
> are a list of diarys the user has created, clicking on one of them open that
> specific diary. But I don't know how accomplish this by using sesssion.
> Because when the user clicks on the link, then the id must be stored on the
> session object... and then again open the correct diary... (maybe this could
> be done if the url was just a link to a function which put the id into the
> session object and then opens the correct diary, I don't know how to call a
> function from a link).... I cannot have the id in the link (GET) and in the
> first few lines of php code in the web page put the id into the session
> object... that is as bad as my original suggestion -> the user can modify
> the url...
>
> Any suggestions?
>
> Jeff
>
>

If you are storing the user id in a session, then you don't have to
pass it ($id) in the URL at all because the user id value will persist
in the session superglobal.

<?php
// page one

session_start();

// Assume user logs in. You got through whatever routines necessary
// to get the ID and assign this value to a session variable ..

$_SESSION['uid'] = $theUsersID;
?>

<?php
// page two

session_start();

echo $_SESSION['uid'];

?>

--
Koncept <<
"The snake that cannot shed its skin perishes. So do the spirits who are
prevented from changing their opinions; they cease to be a spirit." -Nietzsche

#3 (**permalink**) 01-29-2007

"Koncept" <user@unknown.invalid> wrote in message
news:280120071825523884%user@unknown.invalid...
> In article <LcWdnYHH0PY3hSDYRVnzvA@telenor.com>, Jeff
> <it_consultant1@hotmail.com.NOSPAM> wrote:
>
>> Hey
>>
>> I'm developing a web site using PHP 5.2.0
>>
>> Users of this web site can register and create their own profile. Each
>> user
>> can also register their diary entries.. Here is the problem:
>> index.php?mode=diary&id=1, a user can hack this URL to get access to
>> another
>> users diary -> then the user could modify the diary of another user,
>> which
>> is something I want to avoid.
>>
>> To avoid this I always make these checks on every web page
>> if (!empty($_GET["id"])) {
>> if (is_numeric($_GET["id"])) {
>> //Here again I make another check based on the id and the users
>> id...,
>> if the resultset has a row, then this diary is registered on this user...
>>
>> That's a lot of code, I feel the code get clumsy by all these if test
>> etc,
>> but they are needed...
>>
>> But isn't there a better way of doing this?
>>
>> I've read about storing the id in the session, because the user cannot
>> modify whats in the session object... I've spent days (my free time)
>> thinking of how to implement that. On the left side of the web page,
>> there
>> are a list of diarys the user has created, clicking on one of them open
>> that
>> specific diary. But I don't know how accomplish this by using sesssion.
>> Because when the user clicks on the link, then the id must be stored on
>> the
>> session object... and then again open the correct diary... (maybe this
>> could
>> be done if the url was just a link to a function which put the id into
>> the
>> session object and then opens the correct diary, I don't know how to call
>> a
>> function from a link).... I cannot have the id in the link (GET) and in
>> the
>> first few lines of php code in the web page put the id into the session
>> object... that is as bad as my original suggestion -> the user can modify
>> the url...
>>
>> Any suggestions?
>>
>> Jeff
>>
>>
>
> If you are storing the user id in a session, then you don't have to
> pass it ($id) in the URL at all because the user id value will persist
> in the session superglobal.
>
> <?php
> // page one
>
> session_start();
>
> // Assume user logs in. You got through whatever routines necessary
> // to get the ID and assign this value to a session variable ..
>
> $_SESSION['uid'] = $theUsersID;
> ?>
>
> <?php
> // page two
>
> session_start();
>
> echo $_SESSION['uid'];
>
> ?>
>
> --
> Koncept <<
> "The snake that cannot shed its skin perishes. So do the spirits who are
> prevented from changing their opinions; they cease to be a
> pirit." -Nietzsche

Thanks, but I'm already storing the user id in the session object. It's the
diary id which are causing the problem. I have the diary id in the URL.

any suggestions?.

Jeff

#4 (**permalink**) 01-29-2007

Jeff <it_consultant1@hotmail.com.NOSPAM> wrote:

>>> Here is the problem:
>>> index.php?mode=diary&id=1, a user can hack this URL to get access to
>>> another
>>> users diary -> then the user could modify the diary of another user,
>>> which
>>> is something I want to avoid.
>>>
>>> To avoid this I always make these checks on every web page
>>> if (!empty($_GET["id"])) {
>>> if (is_numeric($_GET["id"])) {
>>> //Here again I make another check based on the id and the users
>>> id...,
>>> if the resultset has a row, then this diary is registered on this
>>> user...
>>>
>>> That's a lot of code, I feel the code get clumsy by all these if test
>>> etc,
>>> but they are needed...
>>>
>>> But isn't there a better way of doing this?

>> If you are storing the user id in a session, then you don't have to
>> pass it ($id) in the URL at all because the user id value will persist
>> in the session superglobal.

> Thanks, but I'm already storing the user id in the session object. It's
> the
> diary id which are causing the problem. I have the diary id in the URL..

Well, like you said, you'll have to check wether that user(-id) is allowed
to see/alter that diary(-id). That shouldn't be a lot of code though.
--
Rik Wasmus

#5 (**permalink**) 01-29-2007

"Jeff" <it_consultant1@hotmail.com.NOSPAM> wrote in message
news:LcWdnYHH0PY3hSDYRVnzvA@telenor.com...
> Hey
>
> I'm developing a web site using PHP 5.2.0
>
> Users of this web site can register and create their own profile. Each
> user can also register their diary entries.. Here is the problem:
> index.php?mode=diary&id=1, a user can hack this URL to get access to
> another users diary -> then the user could modify the diary of another
> user, which is something I want to avoid.
>
> To avoid this I always make these checks on every web page
> if (!empty($_GET["id"])) {
> if (is_numeric($_GET["id"])) {
> //Here again I make another check based on the id and the users id...,
> if the resultset has a row, then this diary is registered on this user...
>

Have you tried using POST instead of GET? That way you don't put the passed
variables in the URL.

--
-Don
Ever had one of those days where you just felt like:
http://cosmoslair.com/BadDay.html ?
(Eating the elephant outside the box, one paradigm at a time)

#6 (**permalink**) 01-29-2007

Don Freeman <freemand@sonic.net> wrote:
>> Users of this web site can register and create their own profile. Each
>> user can also register their diary entries.. Here is the problem:
>> index.php?mode=diary&id=1, a user can hack this URL to get accessto
>> another users diary -> then the user could modify the diary of another
>> user, which is something I want to avoid.
>
> Have you tried using POST instead of GET? That way you don't put the
> passed
> variables in the URL.

That would only give a false sense of security, it's just as unsafe.
--
Rik Wasmus

#7 (**permalink**) 01-29-2007

On Jan 29, 10:39 am, Rik <luiheidsgoe...@hotmail.com> wrote:
> Don Freeman <freem...@sonic.net> wrote:
> >> Users of this web site can register and create their own profile. Each
> >> user can also register their diary entries.. Here is the problem:
> >> index.php?mode=diary&id=1, a user can hack this URL to get access to
> >> another users diary -> then the user could modify the diary of another
> >> user, which is something I want to avoid.
>
> > Have you tried using POST instead of GET? That way you don't put the
> > passed
> > variables in the URL.That would only give a false sense of security, it's just as unsafe.
> --
> Rik Wasmus

The truth is - there is no way to 100% defeat this. Being a web
applicaiton there are tons of tools that allow people to modify the
POST parameters, especially if they have a couple ounces of grey
matter and hit google. The tools exist for IE and FFOX, and most
versions of linux have browsers that let you monitor and edit
parameters in their respective browsers as well.

The solution to the above issue is a) use a session if you are going
to be passing around important information that you dont want changed
directly by the user (still able to be modified but it is kept on the
server so there is less chance,) and b) POST if you are submitting a
form that has sensative information.

Sessions will also make the choice to use the POST or GET to pass
session ID, so you dont have to worry about that either.

Bob

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode