avoiding un-secure links

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mishal
Forum Newbie
Posts: 12
Joined: Sat Apr 10, 2004 4:23 pm

avoiding un-secure links

Post by mishal »

Hi everybody

I'm doing articles system in PHP/MySQL that manage member's articles and viewing them in articles page. BUT i stopped around how to deal with action links (like editing/deleting member records).

Suppose in a member area for Dave's articles shows the following records :

____________________________________________
1)
Article # : art3422
Title : Top 10 leaders
Date : 11/11/2003
[Edit] [Delete]
____________________________________________
2)
Article # : art3425
Title : Best ways
Date : 12/11/2003
[Edit] [Delete]
--------------------------------------------------------------

When the member wants to edit or delete his article, the URL will looks like :

http://www.domain.com/script.php?delete=3425

I know this is very dangerous and anybody could delete others articles by simply passing random Id's !.
So is there any way to hide or encrypt the Id or some secured steps needed to be concidered in this case?

Thanks in advance :)

Mishal
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Well, presuming you know if someone is logged in or not, and you know the (what i'll call) userid of the logged in person, then in script.php you just need to do a few extra check, like first make sure the person is logged in (if(!empty($_SESSION['user'] .. type stuff) then check they own the article they are trying to delete. This just requires and extra query or an alteration of the delete query, DELETE FROM foo WHERE articleid={$_GET['delete']} AND userid={$_SESSION['userid']} sorta thing.

Sorry if it's abit vague, but without knowing how you code works exactly we can only provide suedo code ;)
mishal
Forum Newbie
Posts: 12
Joined: Sat Apr 10, 2004 4:23 pm

Post by mishal »

Thanks for the express reply ;)

I get your point :) and thats what i tried to solve, :) .

You concidered superglobal array $_GET["delete"] while i'm trying use links rather than forms (design restrictions).
ummm .. shall i understand that links may not to be the suitable way with these kind of actions ?.

Best Regards

Mishal
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Naw, links are fine, $_GET doesn't refer to a form, it refers to 3452 in ?delete=3452 .. $_GET['delete'] holds 3452. I prefer to use separete scripts, ie delete.php?id=3452 rather than have script.php handle lots of different functionality (add/delete etc) but the theory is the same:
1. Check a user is logged in
2. Check the user own the item to be deleted

There's a few ways to do that, but your exact code structure/implementation will depend on the exact code solution ;)
mishal
Forum Newbie
Posts: 12
Joined: Sat Apr 10, 2004 4:23 pm

Post by mishal »

markl999 wrote:$_GET doesn't refer to a form
sorry , i mean without using form components $_GET/$_POST will never exist. :roll:

markl999, thanks for the valuable replies. :)

Mishal
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Not sure what you mean, if you are doing something like http://www.domain.com/script.php?delete=3425 then $_GET['delete'] will exist, it will contain '3425'. If you are working with register_globals Off then you may be currently working with $delete, but you should be using $_GET['delete']

If i've got the wrong end of the stick then i apologize (i blame the Guinness in front of me) , i'm sure we'll get near an answer soon though ;)
mishal
Forum Newbie
Posts: 12
Joined: Sat Apr 10, 2004 4:23 pm

Post by mishal »

Thanks 10x10^10, ....markl999 ;) ...
Post Reply