Can you use a cookie to limit what row somebody can edit?

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
gopanthers
Forum Newbie
Posts: 9
Joined: Fri Nov 05, 2010 5:00 pm

Can you use a cookie to limit what row somebody can edit?

Post by gopanthers »

I have a bit of simple code I used successfully on a past website to allow me to edit the data in a simple database via an HTML page. At first it lists every person (row) in my database, but then when I click on the name it allows me to edit that person's personal info (the rest of the data in that row). This is done by "passing along" the user ID in the url, like http://website.com/thispage.php?id=321. Here's the code if it helps.

Code: Select all

<?php

$db = mysql_connect("localhost", "USER", "PASSWORD"); 
mysql_select_db("DATABASE",$db);

if ($id) {
  if ($submit) {
    $sql = "UPDATE alumni SET firstname='$firstname', lastname='$lastname', maidenname='$maidentname', classyear='$classyear', city='$city', state='$state', country='$country', 
position='$position', employer='$employer', phone='$phone', email='$email', aim='$aim', icq='$icq', yahoo='$yahoo', website='$website', fund='$fund', donate='$donate' WHERE id=$id";
    $result = mysql_query($sql);
    echo "Thank you! Information updated.\n";
  } else {
    // query the DB
    $sql = "SELECT * FROM alumni WHERE id=$id";
    $result = mysql_query($sql);	
    $myrow = mysql_fetch_array($result);
    ?>

<p>Last Updated: <?php echo $myrow["lastupdated"] ?></p>

<form method="post" action="<?PHP echo $PHP_SELF?>"> 
<input type=hidden name="id" value="<?php echo $myrow["id"] ?>">
First Name: <input type="Text" name="firstname" value="<?php echo $myrow["firstname"] ?>"><br> 
Last Name: <input type="Text" name="lastname" value="<?php echo $myrow["lastname"] ?>"><br>
Maiden Name: <input type="Text" name="maidentname" value="<?php echo $myrow["maidenname"] ?>"><br> 
Class: <input type="Text" name="classyear" value="<?php echo $myrow["classyear"] ?>"><br> 
City: <input type="Text" name="city" value="<?php echo $myrow["city"] ?>"><br> 
State: <input type="Text" name="state" value="<?php echo $myrow["state"] ?>"><br>
Country: <input type="Text" name="country" value="<?php echo $myrow["country"] ?>"><br> 
Position: <input type="Text" name="position" value="<?php echo $myrow["position"] ?>"><br> 
Employer: <input type="Text" name="employer" value="<?php echo $myrow["employer"] ?>"><br>
Phone: <input type="Text" name="phone" value="<?php echo $myrow["phone"] ?>"><br> 
E-mail: <input type="Text" name="email" value="<?php echo $myrow["email"] ?>"><br> 
AIM: <input type="Text" name="aim" value="<?php echo $myrow["aim"] ?>"><br> 
ICQ: <input type="Text" name="icq" value="<?php echo $myrow["icq"] ?>"><br> 
Yahoo: <input type="Text" name="yahoo" value="<?php echo $myrow["yahoo"] ?>"><br> 
Website: <input type="Text" name="website" value="<?php echo $myrow["website"] ?>"><br>
<input type="Submit" name="submit" value="Process Information"> 

	<?php
	}
} else {

  // display list of alumni
  $result = mysql_query("SELECT * FROM alumni ORDER BY lastname",$db);
  while ($myrow = mysql_fetch_array($result)) {
    printf("<a href=\"%s?id=%s\">%s %s</a><br>\n", $PHP_SELF, $myrow["id"], $myrow["lastname"], $myrow["firstname"]);
  }
    echo "<p>If new entry, <a href=\"new.php\">click here</a>\n";
}
?>
That works fine for me if I'm the only one with access to this update page, but I'd really like to allow people to update their own information themselves. To do that, I can't use any method that depends on a user's ID being in the URL because even if this page didn't display links to everybody first, anybody could still just type in any random number to the id=321 part and easily meddle with somebody else's personal info.

So is it in any way possible to use a cookie to specify which one user's data (row) can be updated by this code? In my situation, anybody coming to this form should already be logged in as a user on my website (unrelated to this database), and should have a cookie that includes their username. If I add another field to each database row that contains that user's website username, is there a way that I can modify this code above (or make new code) to somehow say "since this person is already logged in as 'joe-schmoe', here's the HTML to let them edit only their own database information (the data in the row that already contains 'joe-shmoe' listed as their website username)."???
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Can you use a cookie to limit what row somebody can edit

Post by mecha_godzilla »

Hi,

What you have to be careful of here (I think) is that cookies can be quite vulnerable - both because they can be read client-side using JavaScript but also because they could easily be spoofed if the values they contain might be easily guessed. Bear in mind that once someone has an account on your system, they can easily look at what values your cookies are storing using their browser controls and "roll their own", as it were.

The easy way to do what you want is probably to store their unique ID in a session value, which would be populated from their account information in the database when they first log-in. You then test to see if this value is EMPTY or not before you run any queries. This has the benefit that the unique ID is explicity tied to their session reference (created by PHP whenever session_start() is used) but the user doesn't have access to it and can't see it.

There are two things to bear in mind with this approach:

1. Privilege escalation/account hijacking would occur if someone else ever managed to guess the session reference.

2. Session information is stored locally on the server (usually in a /tmp directory somewhere - it's OS dependent) that can easily be looked at if someone ever hacked into the server.

In the first instance, you can tie the session to other information (such as the user's IP address, their browser agent) and check this information on each page access. In the second instance, if this is a big concern you need to think about moving over your session data so that it's stored in your database instead; this isn't that difficult (there are plenty of code examples available) and it offers more protection that having the session files sitting around idling about on the server. In both cases, depending on how high-profile your site is the likelihood of these things happening is minimal but not impossible; it's easy to overlook what the issues are while you're still learning PHP and (at the same time) equally easy to overplay them if you know exactly what the issues are :D

My usual approach is as follows: get what you need to do working first, then think about the security issues.

If you need any examples of working with session data please say so.

HTH,

Mecha Godzilla
Post Reply