PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Jun 21, 2018 10:24 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Nov 24, 2013 6:13 am 
Offline
Forum Newbie

Joined: Sun Nov 24, 2013 6:06 am
Posts: 2
Considering the below example:
HTML Page :

<input type="text" name="update_12" />
An input box with name as "update_12" and new text as : "Some another data" is sent via form to the serverside PHP script (say process.php)

Database format:

=====================
message_ID Message
=====================
12 Some data
13 Another data
If PHP script does an explode on the input name as:

Syntax: [ Download ] [ Hide ]
foreach ($_POST as $key => $value) {
    if(strstr($key, "update_")){
        $required_id = explode('_',$key)[1];
        $query = "UPDATE <db_name> SET `Message`='".$_POST[$key]."' WHERE `message_id`='".$required_id."'";
    }
}

This updates the DB with the new message for message_ID : 12

I am new to PHP and exploring basic data storage, update, retrieval and deletions in MySQL.

Since the client can change the name of the input field :"name" and send another value to update. For example: If a client opens up firebug and changes the "name" field of input box to "update_13", his operation is going to overwrite Message of another user.

I tried researching for this by trying out a status deletion in facebook. From primary observation of the POST data for deletion I could see some important parameters being sent for deletion as :

impression_id=456ab622
profile_id=100005552221116
__user=100005552221116
story_fbid=540912345678911

For a post deletion, the associated ID looks like : story_fbid. When i changed this to may be : 540912345678912 (last digit changed) And clicked on delete, fb takes a while and responds with an error message saying : This operation cannot be done. This error message appears after the POST request to delete has been sent (with modified story_fbid). The response for the POST request contains the error message which is shown in a modal window.

I can think of a way wherein the ID and its hash (MD5/SHA1/SHA2) are stored in DB and upon receipt of id, get a hash of it and if it matches any, update that row in DB. However there are chances that (in our case) hash of 13 might match any other row and hence perform an update operation.

Can you suggest any other secure ways in which we can validate that client has not changed the values?


Top
 Profile  
 
PostPosted: Sun Nov 24, 2013 7:29 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
It depends on the situation and how you want to deal with invalid input. The short, generic answer is that you determine what the input variables should have been and compare that against what you actually received.


Top
 Profile  
 
PostPosted: Sun Nov 24, 2013 8:16 am 
Offline
Forum Newbie

Joined: Sun Nov 24, 2013 6:06 am
Posts: 2
A simple case to illustrate the issue ;
Say I have a div :
<div id="image_11">Delete</div>
<div id="image_12">Delete</div>
<div id="image_13">Delete</div>
On click of any of the delete DIV's, using jquery I determine the ID of the clicked DIV and send it to the PHP script using an AJAX call.
Now the PHP script tries to parse the string "image_ID" and fetches only the part after the underscore.
Now a MySQL query to delete a row with that ID is performed.

Under this case, if the user changes the "image_11" to "image_13" and clicks on Delete that belongs to image_11,
row with the ID:13 will be deleted which is not the expected behavior.
So using any hashing or UUID or any other method, is there any way to detect this and throw back an error message?


Top
 Profile  
 
PostPosted: Sun Nov 24, 2013 8:00 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
There's no way for you to know in your PHP because image_13 was also a valid option for the user. As far as you can tell they clicked the image_13 button instead of the image_11 button. And that's okay - it really doesn't matter.

Now, if they changed it to image_14 and they're not allowed to delete image_14, that's where you have to care. To prepare for that situation, pull down the information for image #14 and check if the user is allowed to delete it (eg, they are the owner of that image). If so then it's the image_11/13 thing all over again and it doesn't matter, but if not then you can take some sort of action: maybe present an error message (which I don't like), or maybe ignore that action and continue on, which could end up resulting in no actions taken at all (which I do like).


Top
 Profile  
 
PostPosted: Sat Jan 25, 2014 2:57 am 
Offline
Forum Newbie

Joined: Sat Jan 25, 2014 2:55 am
Posts: 1
For a post deletion, the associated ID looks like : story_fbid. When i changed this to may be : 540912345678912 (last digit changed) And clicked on delete, fb takes a while and responds with an error message saying : This operation cannot be done. This error message appears after the POST request to delete has been sent (with modified story_fbid). The response for the POST request contains the error message which is shown in a modal window.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group