URL string contains db id and secure ID

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
krraleigh
Forum Commoner
Posts: 86
Joined: Tue Jul 17, 2007 2:52 pm

URL string contains db id and secure ID

Post by krraleigh »

when my user registers an email is sent to admin;
admin decides whether to load user into DB.

If they load user into db they click a link in an email message
which launches the validation.php page. this link contains the user
db id and secure id.

http://www.mysite.org/validate.php?id=178&code='jtunki'

Can this become a security issue?
If so how should I handle it?

Kevin :D
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

On user's signup generate a random string, include it in the url and in the DB in someway (preferably in a separate table with user_id, random_str fields) and modify your code to use it :)
There are 10 types of people in this world, those who understand binary and those who don't
krraleigh
Forum Commoner
Posts: 86
Joined: Tue Jul 17, 2007 2:52 pm

Post by krraleigh »

If I understand you correctly your telling me to do what I am doing now?

I create a random 6 char string that is passed with the db user id in the email
string. These values are visible in the url in the validation page?

So is this a security issue?
Can a snooper pickup these values and do harm to my db?

Kevin
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

0. :) You didn't tell me what you are doing so I've decided that it is the issue.
1. I believe that your defense at conceptual layer is hard enough (a longer secure_id would be better) ...
2. Security issues could be found in validate.php (SQL injections etc.) - recheck your code.
There are 10 types of people in this world, those who understand binary and those who don't
krraleigh
Forum Commoner
Posts: 86
Joined: Tue Jul 17, 2007 2:52 pm

Post by krraleigh »

I appreciate your time...

I have worked my code to protect against sql injections
with my registration page. My validation page sets a single
value from zero to one, a flag of sorts to see if the user has
been cleared by admin for use of the website.

Thank You
Kevin
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

If they have to be manually approved, why have a validation code at all...?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

@superdezign - it's well known aproach - email validation by using "unique URLs" (I think that it is even patanted - by some company with "bird" in its name). If krraleigh uses only id=bla-bla links it becomes very easy to guess it by simple for loop. One could then approve his self without beeing approved by the admins.
There are 10 types of people in this world, those who understand binary and those who don't
krraleigh
Forum Commoner
Posts: 86
Joined: Tue Jul 17, 2007 2:52 pm

Post by krraleigh »

So what are the options available to approving
new users?

Kevin
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

You may use a backend administration written in PHP. It should be able to view the queue of aprovement waiting users and some actions impemented - aprove, delete etc. The backend must be accessable only by your admins by using a login page.

In this case the only security risk is in the authorization stage.
There are 10 types of people in this world, those who understand binary and those who don't
krraleigh
Forum Commoner
Posts: 86
Joined: Tue Jul 17, 2007 2:52 pm

Post by krraleigh »

thank you
Kevin
Post Reply