so, after finish reading Essential PHP Security (Chris Shiflett) and while reading Guide to PHP Security (php|architect’s) I have a doubt: but how to create a safe form?
let's image a situation: a user interface that allow the admin to change the name of ad user.
So, I have the login system that check my user and pass (crypt with md5 and salt) and save in session my login data. then, i have a list of all the user of my system. What would you do to send the data to another page that allow you to change the name? and how would you build the page to change the name?
Because in this 2 book I found lot of interessant idea, but no solution for a easy (and common) system like this one!
thanks for the help!
but an example?
Moderator: General Moderators
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: but an example?
If i am reading your question correctly, you would have an authorise page (requested | required ) by each of the back-end pages. On this page (authorise) you would check if certain session variables were set when you logged in. If these were not present, the user would be redirected to a page indicating login was needed etc.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: but an example?
not really... i try to explain again it, hope you can understand (and thanks for the answer
)
i'm in an admin panel, i have done the login and i'm in as the administrator. I have the list of all the user registered in my web site. Now, i can open a page where i can change the name of the user (and other data). so:
1) how to create a sure data send to sent to the second page the id of the user to edit. now i'm working with $_GET, but it's not really sure...
2) where to store the id of the user. I can store in session, but just when i open the edit page. and to send here i have to work with GET (as in the first question), so it's not really sure again (for me!). do i need to store it in a hidden field (as i do until now)? with tools like firebug i can change the hidden value, so it's not safe again!
any idea?
thanks again!
i'm in an admin panel, i have done the login and i'm in as the administrator. I have the list of all the user registered in my web site. Now, i can open a page where i can change the name of the user (and other data). so:
1) how to create a sure data send to sent to the second page the id of the user to edit. now i'm working with $_GET, but it's not really sure...
2) where to store the id of the user. I can store in session, but just when i open the edit page. and to send here i have to work with GET (as in the first question), so it's not really sure again (for me!). do i need to store it in a hidden field (as i do until now)? with tools like firebug i can change the hidden value, so it's not safe again!
any idea?
thanks again!
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: but an example?
You could store it in a session variable or in a query string. Off the bat, without testing it, i would say a session variable would be safer than a query string value because the user accessing the URL can manipulate the value from that query string and if you haven't taken precautions against this, will leave your script and maybe your database vulnerable to exploitation.2) where to store the id of the user. I can store in session, but just when i open the edit page. and to send here i have to work with GET (as in the first question), so it's not really sure again (for me!). do i need to store it in a hidden field (as i do until now)? with tools like firebug i can change the hidden value, so it's not safe again!
$_GET will send the data, as long as you pass the correct variable to the string you shouldn't have any problems.1) how to create a sure data send to sent to the second page the id of the user to edit. now i'm working with $_GET, but it's not really sure...
Thank you for reposting the question, i hope the answer is what you are looking for
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering