Page 1 of 1

hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 8:26 pm
by ganza
im doing the deleting using hyperlinks like this

Code: Select all

 
echo '<a href="deleteRow.php?id=' . $record['contact_ID'] . '">Delete</a>';
 

Code: Select all

 
deleteRow.php
if(isset($_REQUEST['id']) && !empty($_REQUEST['id'])){
   mysql_query("DELETE FROM contact WHERE contact_ID=" . mysql_real_escape_string($_REQUEST['id']));
   header('Location: delContact.php?row_deleted=yes');
   exit();
} 
 
but i just realized that ppl can easily manipulate and update my database using deleteRow.php?id=VALUE
is it possible for me to hide the value or the deleteRow.php?id= so ppl cannot see the value or the link?

Re: hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 8:46 pm
by requinix
ganza wrote:but i just realized that ppl can easily manipulate and update my database using deleteRow.php?id=VALUE
Which is why you don't just allow anyone to delete stuff.

Put something in the deleteRow.php file to make sure that whoever accesses it is allowed to delete it.

Re: hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 8:53 pm
by Stryks
Well ... it's a good thing to think about, and if you found it yourself then all the better. You'll be looking for that kind of vulnerability when you are writing similar code.

The solution is going to depend largely on what data you are allowing the user to delete.

I mean, if you have a table where rows of data are linked to specific users, and you want each user to only be able to delete their own rows, and assuming that you're using sessions or something similar to carry the users ID from page to page, you could just change your query to something like ...

Code: Select all

mysql_query("DELETE FROM contact WHERE contact_ID=" . mysql_real_escape_string($_REQUEST['id'] . " AND user_ID=" $user_ID));
This way, your user could change the ID as they see fit, but their destruction wont affect anyone but themselves.

If, on the other hand, you're allowing the user to delete items that aren't related to them, then you could create a random value for each row and store it in a session, then when the form is processed, convert back from the random ID to the item ID and then perform the delete. It wouldn't eliminate the ability to change the code to another value, but they could only delete items shown on the source page, so they can't delete what they can't see. I mean, the ID wouldn't even have to be random ... you could just build an array and use the auto-generated keys in place of the item id.

The former is my preference though.

Cheers

Re: hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 9:02 pm
by ganza
Stryks wrote: If, on the other hand, you're allowing the user to delete items that aren't related to them, then you could create a random value for each row and store it in a session, then when the form is processed, convert back from the random ID to the item ID and then perform the delete. It wouldn't eliminate the ability to change the code to another value, but they could only delete items shown on the source page, so they can't delete what they can't see. I mean, the ID wouldn't even have to be random ... you could just build an array and use the auto-generated keys in place of the item id.

The former is my preference though.

Cheers
its look like abit complicated and im not really understand as i just started learning this php :banghead:
is it possible for you to give me any sample code so ican learn it from the sample code?

Thanks

Re: hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 9:33 pm
by Stryks
Well ... I'd really recommend the first method as described by tasairis and myself. Users should not really be allowed to delete anything that does not belong to them. If you have a login system in place, you should be easily able to match your users to what they are attempting to delete, so if they pass and ID that doesn't beling to them, throw an error.

But if you really want to go the latter way, something like the following should work, assuming you're using sessions.

delContact.php

Code: Select all

 session_start();
 
$_SESSION['item_key'] = array();
 
// your code to connect to and pull from the database
  
while ($row = mysql_fetch_assoc($result)) {
    echo "{$row['item_name']} - <a href=\"deleterow.php?id=" . count($_SESSION['item_key']) . "\">[ delete ]</a><br>";
    $_SESSION['item_key'][] = $row['item_ID'];
}
 
 

deleterow.php

Code: Select all

session_start();
 
if(isset($_GET['id']) && isset($_SESSION['item_key']) && in_array($_GET['id'], $_SESSION['item_key'])) {
    // Item key passed was valid
    $item_id = $_SESSION['item_key'][$_GET['id']];
    mysql_query("DELETE FROM contact WHERE contact_ID=" . mysql_real_escape_string($_REQUEST['id']));
    $location = 'Location: delContact.php?row_deleted=yes';    
} else {
    // Item key was not passed, session was not prepared, or key did not exist
    $location = 'Location: delContact.php?row_deleted=no';
}
// clear key associations
unset($_SESSION['item_key']);
// Bounce to appropriate location
header($location);
exit();    
 
It's not the cleanest example, but as I don't know your display method it's about the best I can do in a minute or two. But as you can see, it creates an array in the session linking the item ID to a session key. The link uses the session key, which is transparently translated back into the item_id on the back end. In this way the end user is never exposed to the real item_id, and the user can never delete anything that was not listed in the previous view.

Does that help at all?

p.s. - that it totally untested by the way ... it might take some tweaking .,.. or it might work first pop .. hard to say really. As I said, I just quickly knocked it up.

Re: hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 9:39 pm
by ganza
Stryks wrote:Well ... I'd really recommend the first method as described by tasairis and myself. Users should not really be allowed to delete anything that does not belong to them. If you have a login system in place, you should be easily able to match your users to what they are attempting to delete, so if they pass and ID that doesn't beling to them, throw an error.

But if you really want to go the latter way, something like the following should work, assuming you're using sessions.

delContact.php

Code: Select all

 session_start();
 
$_SESSION['item_key'] = array();
 
// your code to connect to and pull from the database
  
while ($row = mysql_fetch_assoc($result)) {
    echo "{$row['item_name']} - <a href=\"deleterow.php?id=" . count($_SESSION['item_key']) . "\">[ delete ]</a><br>";
    $_SESSION['item_key'][] = $row['item_ID'];
}
 
 

deleterow.php

Code: Select all

session_start();
 
if(isset($_GET['id']) && isset($_SESSION['item_key']) && in_array($_GET['id'], $_SESSION['item_key'])) {
    // Item key passed was valid
    $item_id = $_SESSION['item_key'][$_GET['id']];
    mysql_query("DELETE FROM contact WHERE contact_ID=" . mysql_real_escape_string($_REQUEST['id']));
    $location = 'Location: delContact.php?row_deleted=yes';    
} else {
    // Item key was not passed, session was not prepared, or key did not exist
    $location = 'Location: delContact.php?row_deleted=no';
}
// clear key associations
unset($_SESSION['item_key']);
// Bounce to appropriate location
header($location);
exit();    
 
It's not the cleanest example, but as I don't know your display method it's about the best I can do in a minute or two. But as you can see, it creates an array in the session linking the item ID to a session key. The link uses the session key, which is transparently translated back into the item_id on the back end. In this way the end user is never exposed to the real item_id, and the user can never delete anything that was not listed in the previous view.

Does that help at all?

p.s. - that it totally untested by the way ... it might take some tweaking .,.. or it might work first pop .. hard to say really. As I said, I just quickly knocked it up.
i will try to learn the code 1st
btw really thanks for your help ...
really appreciate it

thanks

Re: hiding database value in hyperlinks

Posted: Mon Nov 10, 2008 9:45 pm
by Stryks
ganza wrote:i will try to learn the code 1st
btw really thanks for your help ...
really appreciate it
No worries ... just yell out if you need help understanding any of that code.

8)