Security Issues and the GET header

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
LonelyProgrammer
Forum Contributor
Posts: 108
Joined: Sun Oct 12, 2003 7:10 am

Security Issues and the GET header

Post by LonelyProgrammer »

Hi all,

I am currently involve in developing an e-learning site, where the users have to pay a certain amount of credit for accessing each lesson. One of the problem I am facing now is the security issues pertaining to using the GET header to transmit information between page.

For example, let say the query string to access to access a certain lesson looks like this is:

http://www.elessons.php/elesson.php?pag ... lessonid=1

How do I prevent a cheating user fro memorising the URL and typing it into the address bar directly?

1) Is there a way to encode the GET header before transmiting, or do I have to encode each URL by myself? (This is a solution, but I didn't forsee this problem so it means I have to change thousand of links. Bad planning on my part)

2) Is there a callback event which is called when a link is clicked? At least if this is, I could add a authenticiation flag to the user's session before the GET header is actually sent.

3)Is it possible to add something to the GET header directly, before or after the click on the URL is processed?

4) Or, is it possible to send a link via the POST method?

Any other solutions would be very much appreciated! Thanks!
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

1.) Sorry, not that I know of.

2.) Not sure what you mean.

3) Possibly, but then they'd be able to see it in their URL address bar anyway.

4.) Yes, you could do this but it is still easily hackable, because you will have to define the URL in the HTML form.

The easiest way would just to have every user have an account and use SESSIONS in order to keep track of where they can and can't go.

Sessions Tutorial
php.net/session_start
LonelyProgrammer
Forum Contributor
Posts: 108
Joined: Sun Oct 12, 2003 7:10 am

Post by LonelyProgrammer »

DuFF wrote:1.) Sorry, not that I know of.
The easiest way would just to have every user have an account and use SESSIONS in order to keep track of where they can and can't go.

Sessions Tutorial
php.net/session_start
Already using sessions for user authentication.

Anyway, for sending links via POST method, how does one do that?
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

Well if you are already using sessions then all you have to do on each page is to check if the user has a certain $_SESSION variable (such as $_SESSION['logged_in']). If they have the session variable, let them see the page, if not then deny access.

On using POST as links, you will have to use javascript to submit the form but you would have something like this:

Code: Select all

<form method="post" action="http://www.elessons.php/elesson.php" name="lesson">
<input type="hidden" name="pageid" value="lesson">
<input type="hidden" name="lessonid" value="1">
<a href="javascript:document.lesson.submit();">Lesson 1</a>
</form>
Then on elesson.php:

Code: Select all

<?php
echo $_POST['pageid'];    // prints out:  lesson
echo $_POST['lessonid'];  // prints out:  1
?>
you can use the $_POST variables in the MySQL query call or whatever you need to do.
Post Reply