what should i do for security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

what should i do for security

Post by rami »

i have made an MIS application in php+mysql
all pages has been made

i have three level user students,teachers and specail user (admins) all in different tables

for now when user login with correct pass i am starting session with user_id and check the user_id session in subsequent pages using if clause ....
if yes.(userid session)...... to page if no then to login page....


but i want to make teachers to view data of students (but student cannot view teachers data)
so admin can view all data

here are some problem

is this creating session right and reliable way to implement security zones ...
and whats about students just go to history of browser and start opening page that once open by the teacher in the same computer....

what if they use
http://www......com?uid=101
directly knowing uid....

and third as i create students user_id session only when student logs in would teachers be able to get in to those pages.....as no session for them is created as the session will be checked in subsequent student access pages...(same coded pages would be seen by teachers)


could some body suggest me ,provide me(idea,downloads,books,...anything)
to solve this problem ...
would be very great ful...
what and how should i implement...
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Post by Sequalit »

If your using Session variables then the students wouldnt be able to do ?uid=101 because of the way PHP processes variables...

It first sets Get
then Post
then Cookies
then Session

if you post uid in get... uid=101, but you have a session variable named uid, then uid=session value not the get...

posting anything like uid or passwords/usernames/whatnot over the GET method is a extreme security risk and a nono... if the information is valuable.. use either POST or Sessions...... sessions most secure for holding id's and stuff temporaraly.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: what should i do for security

Post by josh »

rami wrote: what if they use
http://www......com?uid=101
directly knowing uid....
That's why you either:

a) use cookie only session management, have the cookie reside only in browser memory
b) have a logout button, that destroys the session

Sequalit wrote:use either POST or Sessions......
POST can be edited just as easily as GET, as a matter of fact anything being submitted with the request should be regarded as un-trusted input, as a golden rule you must assume all input coming in has been tampered with, unless you can determine otherwise.
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Post by Sequalit »

POST can be edited just as easily as GET
i didnt know that hehe... i figured it was just as secure.
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

Post by rami »

thanks for reply

ok here is straight prob
when student logs in, i do(if pass and uname is correct)
session[user_id].....................

That is user_id column of the table student....primary key....

but the page should be viewable to teacher's also
when teachers log in i do
session[tid]..................
tid is in table teacher ..primary key....

so what should i do ?

can i just do
if session...[user_id] OR ..session[tid])
while checking session in te beginning of page,
which should be viewed by the both ....

will it solve my problem

I am not that worried about other exploitation for now as it will run in intranet and just will be testing for may be 6 months...

but the pages as will run in intranet in one page many session craeted and destroyed...
may be if some body forgets to log out may be then it will be problem
espacially if specail user will priveleges like senior professor...

any way lets solve that problem first
any help
thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

try it.
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Post by Sequalit »

what feyd said....

feyd said:
try it.
Post Reply