Page 1 of 1

avoiding un-secure links

Posted: Sat Apr 10, 2004 4:23 pm
by mishal
Hi everybody

I'm doing articles system in PHP/MySQL that manage member's articles and viewing them in articles page. BUT i stopped around how to deal with action links (like editing/deleting member records).

Suppose in a member area for Dave's articles shows the following records :

____________________________________________
1)
Article # : art3422
Title : Top 10 leaders
Date : 11/11/2003
[Edit] [Delete]
____________________________________________
2)
Article # : art3425
Title : Best ways
Date : 12/11/2003
[Edit] [Delete]
--------------------------------------------------------------

When the member wants to edit or delete his article, the URL will looks like :

http://www.domain.com/script.php?delete=3425

I know this is very dangerous and anybody could delete others articles by simply passing random Id's !.
So is there any way to hide or encrypt the Id or some secured steps needed to be concidered in this case?

Thanks in advance :)

Mishal

Posted: Sat Apr 10, 2004 4:32 pm
by markl999
Well, presuming you know if someone is logged in or not, and you know the (what i'll call) userid of the logged in person, then in script.php you just need to do a few extra check, like first make sure the person is logged in (if(!empty($_SESSION['user'] .. type stuff) then check they own the article they are trying to delete. This just requires and extra query or an alteration of the delete query, DELETE FROM foo WHERE articleid={$_GET['delete']} AND userid={$_SESSION['userid']} sorta thing.

Sorry if it's abit vague, but without knowing how you code works exactly we can only provide suedo code ;)

Posted: Sat Apr 10, 2004 4:53 pm
by mishal
Thanks for the express reply ;)

I get your point :) and thats what i tried to solve, :) .

You concidered superglobal array $_GET["delete"] while i'm trying use links rather than forms (design restrictions).
ummm .. shall i understand that links may not to be the suitable way with these kind of actions ?.

Best Regards

Mishal

Posted: Sat Apr 10, 2004 4:58 pm
by markl999
Naw, links are fine, $_GET doesn't refer to a form, it refers to 3452 in ?delete=3452 .. $_GET['delete'] holds 3452. I prefer to use separete scripts, ie delete.php?id=3452 rather than have script.php handle lots of different functionality (add/delete etc) but the theory is the same:
1. Check a user is logged in
2. Check the user own the item to be deleted

There's a few ways to do that, but your exact code structure/implementation will depend on the exact code solution ;)

Posted: Sat Apr 10, 2004 5:56 pm
by mishal
markl999 wrote:$_GET doesn't refer to a form
sorry , i mean without using form components $_GET/$_POST will never exist. :roll:

markl999, thanks for the valuable replies. :)

Mishal

Posted: Sat Apr 10, 2004 6:02 pm
by markl999
Not sure what you mean, if you are doing something like http://www.domain.com/script.php?delete=3425 then $_GET['delete'] will exist, it will contain '3425'. If you are working with register_globals Off then you may be currently working with $delete, but you should be using $_GET['delete']

If i've got the wrong end of the stick then i apologize (i blame the Guinness in front of me) , i'm sure we'll get near an answer soon though ;)

Posted: Tue Apr 13, 2004 6:03 am
by mishal
Thanks 10x10^10, ....markl999 ;) ...