php variables set thru address bar

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Rob
Forum Commoner
Posts: 33
Joined: Fri Oct 03, 2003 3:18 pm

php variables set thru address bar

Post by Rob »

I was making a user system and then I realized while coding a page to view a users profile, you can set any variables thru the browser. So I went to the edit profile page and made my url:
editpro.php?username="rob"

Username is usually set by a session variable but it has to be passed into other variables so it works with SQL. This is pretty insecure, it edited my profile while I was logged into my test account.

So does this mean if I have a variable like $SQL = MYSQL_QUERY(query); somebody could edit that and do anything they want with mySQL? Please respond and tell me what I can do to provent these things from happening.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Variables passed in the query string (ie $_GET vars) are vulnerable to query string tampering as you have described.

Some security info:

http://www.securereality.com.au/archive ... carlet.txt
http://www.sklar.com/page/article/owasp-top-ten
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

If the username is set by a session variable then why not just use the session variable to pass on the values?

Code: Select all

$somevar = (isset($_SESSIONї'username'])?$_SESSIONї'username']:"");
User avatar
Rob
Forum Commoner
Posts: 33
Joined: Fri Oct 03, 2003 3:18 pm

Post by Rob »

you could still do
?somevar=something
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

True, you could still do that. But it would mean nothing as you didn't GET somevar and even if you did it would overwritten by the assigning of the session variable (as long as this was after the GET). Unless I haven't woken up properly yet on this Sunday morning. :)
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Rob: This is why you should turn register_globals to off in the php.ini file. And this is why it's off by default now.

Even if it was on, it wouldn't make a difference anyways.

Concerning paddy's example, he just gave $somevar a value. Even if you set ?somevar=something, it wouldn't matter, because he has assigned $somevar a new value.
Post Reply