but an example?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
balo
Forum Newbie
Posts: 10
Joined: Mon Jan 18, 2010 11:49 am

but an example?

Post by balo »

so, after finish reading Essential PHP Security (Chris Shiflett) and while reading Guide to PHP Security (php|architect’s) I have a doubt: but how to create a safe form?
let's image a situation: a user interface that allow the admin to change the name of ad user.
So, I have the login system that check my user and pass (crypt with md5 and salt) and save in session my login data. then, i have a list of all the user of my system. What would you do to send the data to another page that allow you to change the name? and how would you build the page to change the name?
Because in this 2 book I found lot of interessant idea, but no solution for a easy (and common) system like this one!

thanks for the help!
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: but an example?

Post by social_experiment »

If i am reading your question correctly, you would have an authorise page (requested | required ) by each of the back-end pages. On this page (authorise) you would check if certain session variables were set when you logged in. If these were not present, the user would be redirected to a page indicating login was needed etc.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
balo
Forum Newbie
Posts: 10
Joined: Mon Jan 18, 2010 11:49 am

Re: but an example?

Post by balo »

not really... i try to explain again it, hope you can understand (and thanks for the answer ;) )
i'm in an admin panel, i have done the login and i'm in as the administrator. I have the list of all the user registered in my web site. Now, i can open a page where i can change the name of the user (and other data). so:
1) how to create a sure data send to sent to the second page the id of the user to edit. now i'm working with $_GET, but it's not really sure...
2) where to store the id of the user. I can store in session, but just when i open the edit page. and to send here i have to work with GET (as in the first question), so it's not really sure again (for me!). do i need to store it in a hidden field (as i do until now)? with tools like firebug i can change the hidden value, so it's not safe again!
any idea?
thanks again!
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: but an example?

Post by social_experiment »

2) where to store the id of the user. I can store in session, but just when i open the edit page. and to send here i have to work with GET (as in the first question), so it's not really sure again (for me!). do i need to store it in a hidden field (as i do until now)? with tools like firebug i can change the hidden value, so it's not safe again!
You could store it in a session variable or in a query string. Off the bat, without testing it, i would say a session variable would be safer than a query string value because the user accessing the URL can manipulate the value from that query string and if you haven't taken precautions against this, will leave your script and maybe your database vulnerable to exploitation.
1) how to create a sure data send to sent to the second page the id of the user to edit. now i'm working with $_GET, but it's not really sure...
$_GET will send the data, as long as you pass the correct variable to the string you shouldn't have any problems.

Thank you for reposting the question, i hope the answer is what you are looking for :)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply