I was making a user system and then I realized while coding a page to view a users profile, you can set any variables thru the browser. So I went to the edit profile page and made my url:
editpro.php?username="rob"
Username is usually set by a session variable but it has to be passed into other variables so it works with SQL. This is pretty insecure, it edited my profile while I was logged into my test account.
So does this mean if I have a variable like $SQL = MYSQL_QUERY(query); somebody could edit that and do anything they want with mySQL? Please respond and tell me what I can do to provent these things from happening.
php variables set thru address bar
Moderator: General Moderators
Variables passed in the query string (ie $_GET vars) are vulnerable to query string tampering as you have described.
Some security info:
http://www.securereality.com.au/archive ... carlet.txt
http://www.sklar.com/page/article/owasp-top-ten
Some security info:
http://www.securereality.com.au/archive ... carlet.txt
http://www.sklar.com/page/article/owasp-top-ten
-
Paddy
- Forum Contributor
- Posts: 244
- Joined: Wed Jun 11, 2003 8:16 pm
- Location: Hobart, Tas, Aussie
- Contact:
If the username is set by a session variable then why not just use the session variable to pass on the values?
Code: Select all
$somevar = (isset($_SESSIONї'username'])?$_SESSIONї'username']:"");Rob: This is why you should turn register_globals to off in the php.ini file. And this is why it's off by default now.
Even if it was on, it wouldn't make a difference anyways.
Concerning paddy's example, he just gave $somevar a value. Even if you set ?somevar=something, it wouldn't matter, because he has assigned $somevar a new value.
Even if it was on, it wouldn't make a difference anyways.
Concerning paddy's example, he just gave $somevar a value. Even if you set ?somevar=something, it wouldn't matter, because he has assigned $somevar a new value.