Page 1 of 1

php variables set thru address bar

Posted: Sat Oct 04, 2003 5:01 pm
by Rob
I was making a user system and then I realized while coding a page to view a users profile, you can set any variables thru the browser. So I went to the edit profile page and made my url:
editpro.php?username="rob"

Username is usually set by a session variable but it has to be passed into other variables so it works with SQL. This is pretty insecure, it edited my profile while I was logged into my test account.

So does this mean if I have a variable like $SQL = MYSQL_QUERY(query); somebody could edit that and do anything they want with mySQL? Please respond and tell me what I can do to provent these things from happening.

Posted: Sat Oct 04, 2003 7:01 pm
by McGruff
Variables passed in the query string (ie $_GET vars) are vulnerable to query string tampering as you have described.

Some security info:

http://www.securereality.com.au/archive ... carlet.txt
http://www.sklar.com/page/article/owasp-top-ten

Posted: Sat Oct 04, 2003 7:44 pm
by Paddy
If the username is set by a session variable then why not just use the session variable to pass on the values?

Code: Select all

$somevar = (isset($_SESSIONї'username'])?$_SESSIONї'username']:"");

Posted: Sat Oct 04, 2003 7:48 pm
by Rob
you could still do
?somevar=something

Posted: Sat Oct 04, 2003 7:57 pm
by Paddy
True, you could still do that. But it would mean nothing as you didn't GET somevar and even if you did it would overwritten by the assigning of the session variable (as long as this was after the GET). Unless I haven't woken up properly yet on this Sunday morning. :)

Posted: Sat Oct 04, 2003 11:45 pm
by jason
Rob: This is why you should turn register_globals to off in the php.ini file. And this is why it's off by default now.

Even if it was on, it wouldn't make a difference anyways.

Concerning paddy's example, he just gave $somevar a value. Even if you set ?somevar=something, it wouldn't matter, because he has assigned $somevar a new value.