Page 1 of 1

URL security: How to stop simple email change

Posted: Fri Sep 17, 2010 1:17 pm
by diseman
Hi all,

Learning PHP and realized that my learning site has a problem.

Up at the top, I have a URL that reads:

http://localhost/mysite/templates/contr ... im@aol.com

At that URL, I have data that shows for Jim.

However, if I were to go into the URL at the top and simply change the e-mail address to:

http://localhost/mysite/templates/contr ... om@aol.com

I get all the data for Tom without having to login as Tom!

That ain't right...

So, how do I prevent that from happening?

Thanks....

Re: URL security: How to stop simple email change

Posted: Fri Sep 17, 2010 1:37 pm
by yacahuma
are you login to the site? if you dont, there is no way.

Re: URL security: How to stop simple email change

Posted: Fri Sep 17, 2010 3:16 pm
by diseman
Yes, logged in to site.

Re: URL security: How to stop simple email change

Posted: Fri Sep 17, 2010 3:31 pm
by yacahuma
if you log into the site with the email, you can save the email in your session. When you list your items, you must likely select by email. Well, dont use the email from the $_GET parameters, use the one from the session you saved during login.

Re: URL security: How to stop simple email change

Posted: Fri Sep 17, 2010 9:09 pm
by diseman
Yes, that makes sense, but the problem is... in this particular scenario, I'm logged in as an affiliate user and using $_GET to pull the correct record. When I login as USER (not affiliate) I am using $_SESSION that I signed in with, so that part is good as you suggested. It's only when I'm logged in as Affiliate that I pass the e-mail address on, so I get the right record.

Does that make sense?

Re: URL security: How to stop simple email change

Posted: Sat Sep 18, 2010 1:50 pm
by diseman
Anyone ?

Bump...

Re: URL security: How to stop simple email change

Posted: Sun Sep 19, 2010 1:40 am
by internet-solution
you can use $_POST

Re: URL security: How to stop simple email change

Posted: Sun Sep 19, 2010 7:40 pm
by diseman
Thanks Internet-Solution..

It wasn't the answer, but yours and Yacahuma's post got me thinking in a whole new direction. What came to mind after getting away for a little bit was to include a hidden input where I passed the e-mail address. I then, based on a button click, assigned a new/different session. Then, on the user's page, I simply checked for the $_SESSION in which I assigned an e-mail address. All of this and now there's no e-mail address in the URL window; just a path to the file. Had to switch everything for admin and affiliate users, but I just figured it out and made the changes.

Thanks Guys!

Re: URL security: How to stop simple email change

Posted: Sun Sep 19, 2010 11:35 pm
by almedajohnson
diseman wrote:Thanks Internet-Solution..

It wasn't the answer, but yours and Yacahuma's post got me thinking in a whole new direction. What came to mind after getting away for a little bit was to include a hidden input where I passed the e-mail address. I then, based on a button click, assigned a new/different session. Then, on the user's page, I simply checked for the $_SESSION in which I assigned an e-mail address. All of this and now there's no e-mail address in the URL window; just a path to the file. Had to switch everything for admin and affiliate users, but I just figured it out and made the changes.

Thanks Guys!
Hey
that sounds really interesting. I would like to implement it in my site. Can you share the code you worked on for this. It would be really helpful.

Re: URL security: How to stop simple email change

Posted: Mon Sep 20, 2010 8:14 am
by diseman
Sure, but let me set the stage for you and others, so you get what was going on.

In my site, there are three users; user, affiliate, site owner. When logging in as an affiliate, I was having the page query all the records that belonged to that affiliate; row-by-row. I then coded a graphic button on each record with the record's (user's) email address, which I would click to go to that record. The problem was that it was showing something like:

templates/control_panel.php?email=something@somewhere.com

Then, if I went to the top of the browser into the URL box and changed the email to a different address, it would show me the data for that record. In fact, I was basically in that record and all the pages for that record were now being presented to me.

The Fix -> Create another & new $_SESSION for both the Affiliate and Admin. That means in addition to any other SESSION you may have for that user type when the logged in.

Ok, so here's the code where I added a button to my row-by-row query:

Code: Select all

"<center><form method=\"post\" action=\"control_panel.php\"><input type=\"image\" src=\"../images/packet.jpg\" width=\"75\" height=\"18\" border=\"0\"\"/><input type=\"hidden\" name=\"aff_to_user\" value=\"".$row['username']."\"/></form></center>"
This allowed me to take the user's email address out of the URL. The Key here are the 'name="aff_to_user" and value=\"".$row['username']."\" . The VALUE, in this case, was the user's e-mail address, which I'm pulling in the next page. The NAME can be anything you want as long as it matches on the next page.

This is the code I put in with the html (be sure to expand, so you can see it all):

Code: Select all

<?php session_start();

if ($_POST['aff_to_user']) // Affiliate-to-User (Affiliate's Control Panel to User's Control Panel without e-mail address) ;

	{

	$get_user_email = $_POST['aff_to_user'];
	
	$_SESSION['aff_to_user'] = $get_user_email ;  // Create new session for affiliate

	}


$requestor = '' ;
	
if($_SESSION['admin_to_user']) 
	{
$requestor = $_SESSION['admin_to_user'];
	} 
elseif($_SESSION['myusername']) 
	{
$requestor = $_SESSION['myusername']; 
	}
elseif($_SESSION['aff_to_user']) 
	{
$requestor = $_SESSION['aff_to_user']; 
	}
if($requestor) {

...then something here [u]if[/u] needed. I had some include files here...

?>

Then my HTML was here

</body>
</html> 

<? } else { echo "You must login to view this page." ; } ?> // Close the IF statement above

Not sure why the first bit of code above had to be in the page with the HTML. I have a .php page I use with this page, but putting the first snippet of code there didn't work even though I used the include function on the HTML side. If you figure that one out, please let me know. That's what I'm going to look at this morning. I'm trying to keep php/html separated as much as possible, but I just couldn't get it to work when the code was in the other page even though being called by INCLUDE.

Also, that $requestor stuff came about because in my php learning I got stuck with my site not knowing who was who (user, affiliate, or admin). So if you look in my list of posts, you'll see someone giving me a fix that used something similar. Meaning, you might do it differently with regard to that section of code.

Ok, hope this helps. Just remember, I'm an 8 week php programmer, so this hack could be on-track or completely wrong. :) It does work though and it did remove the e-mail from the equation and still allow me to retrieve the user's data, which means now someone can't just change users from the URL window.

Let me know if it works for you.

Thanks..