Page 1 of 1
URL string contains db id and secure ID
Posted: Mon Aug 13, 2007 8:44 pm
by krraleigh
when my user registers an email is sent to admin;
admin decides whether to load user into DB.
If they load user into db they click a link in an email message
which launches the validation.php page. this link contains the user
db id and secure id.
http://www.mysite.org/validate.php?id=178&code='jtunki'
Can this become a security issue?
If so how should I handle it?
Kevin

Posted: Mon Aug 13, 2007 8:49 pm
by VladSun
On user's signup generate a random string, include it in the url and in the DB in someway (preferably in a separate table with user_id, random_str fields) and modify your code to use it

Posted: Mon Aug 13, 2007 9:01 pm
by krraleigh
If I understand you correctly your telling me to do what I am doing now?
I create a random 6 char string that is passed with the db user id in the email
string. These values are visible in the url in the validation page?
So is this a security issue?
Can a snooper pickup these values and do harm to my db?
Kevin
Posted: Mon Aug 13, 2007 9:23 pm
by VladSun
0.

You didn't tell me what you are doing so I've decided that it is the issue.
1. I believe that your defense at conceptual layer is hard enough (a longer secure_id would be better) ...
2. Security issues could be found in validate.php (SQL injections etc.) - recheck your code.
Posted: Mon Aug 13, 2007 9:34 pm
by krraleigh
I appreciate your time...
I have worked my code to protect against sql injections
with my registration page. My validation page sets a single
value from zero to one, a flag of sorts to see if the user has
been cleared by admin for use of the website.
Thank You
Kevin
Posted: Tue Aug 14, 2007 6:23 am
by superdezign
If they have to be manually approved, why have a validation code at all...?
Posted: Tue Aug 14, 2007 11:42 am
by VladSun
@superdezign - it's well known aproach - email validation by using "unique URLs" (I think that it is even patanted - by some company with "bird" in its name). If krraleigh uses only id=bla-bla links it becomes very easy to guess it by simple for loop. One could then approve his self without beeing approved by the admins.
Posted: Tue Aug 14, 2007 7:37 pm
by krraleigh
So what are the options available to approving
new users?
Kevin
Posted: Tue Aug 14, 2007 7:43 pm
by VladSun
You may use a backend administration written in PHP. It should be able to view the queue of aprovement waiting users and some actions impemented - aprove, delete etc. The backend must be accessable only by your admins by using a login page.
In this case the only security risk is in the authorization stage.
Posted: Tue Aug 14, 2007 7:48 pm
by krraleigh
thank you
Kevin