Page 1 of 1

Security Issues and the GET header

Posted: Sat Dec 20, 2003 8:46 pm
by LonelyProgrammer
Hi all,

I am currently involve in developing an e-learning site, where the users have to pay a certain amount of credit for accessing each lesson. One of the problem I am facing now is the security issues pertaining to using the GET header to transmit information between page.

For example, let say the query string to access to access a certain lesson looks like this is:

http://www.elessons.php/elesson.php?pag ... lessonid=1

How do I prevent a cheating user fro memorising the URL and typing it into the address bar directly?

1) Is there a way to encode the GET header before transmiting, or do I have to encode each URL by myself? (This is a solution, but I didn't forsee this problem so it means I have to change thousand of links. Bad planning on my part)

2) Is there a callback event which is called when a link is clicked? At least if this is, I could add a authenticiation flag to the user's session before the GET header is actually sent.

3)Is it possible to add something to the GET header directly, before or after the click on the URL is processed?

4) Or, is it possible to send a link via the POST method?

Any other solutions would be very much appreciated! Thanks!

Posted: Sat Dec 20, 2003 9:07 pm
by DuFF
1.) Sorry, not that I know of.

2.) Not sure what you mean.

3) Possibly, but then they'd be able to see it in their URL address bar anyway.

4.) Yes, you could do this but it is still easily hackable, because you will have to define the URL in the HTML form.

The easiest way would just to have every user have an account and use SESSIONS in order to keep track of where they can and can't go.

Sessions Tutorial
php.net/session_start

Posted: Sat Dec 20, 2003 9:19 pm
by LonelyProgrammer
DuFF wrote:1.) Sorry, not that I know of.
The easiest way would just to have every user have an account and use SESSIONS in order to keep track of where they can and can't go.

Sessions Tutorial
php.net/session_start
Already using sessions for user authentication.

Anyway, for sending links via POST method, how does one do that?

Posted: Sat Dec 20, 2003 10:38 pm
by DuFF
Well if you are already using sessions then all you have to do on each page is to check if the user has a certain $_SESSION variable (such as $_SESSION['logged_in']). If they have the session variable, let them see the page, if not then deny access.

On using POST as links, you will have to use javascript to submit the form but you would have something like this:

Code: Select all

<form method="post" action="http://www.elessons.php/elesson.php" name="lesson">
<input type="hidden" name="pageid" value="lesson">
<input type="hidden" name="lessonid" value="1">
<a href="javascript:document.lesson.submit();">Lesson 1</a>
</form>
Then on elesson.php:

Code: Select all

<?php
echo $_POST['pageid'];    // prints out:  lesson
echo $_POST['lessonid'];  // prints out:  1
?>
you can use the $_POST variables in the MySQL query call or whatever you need to do.