Is $_GET secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Arocity
Forum Newbie
Posts: 15
Joined: Tue Jun 10, 2008 8:30 am
Location: Washington, DC

Is $_GET secure?

Post by Arocity »

So I'm doing some basic ajax stuff, and I had a thought that perplexed me a little. What steps can I take to prevent somebody from simply checkin' source code for the xternal ajax script (i.e. someAjaxRequest.open("GET", "somescript.php" + SomeQueryString, true)) and updating somebody else's info? For example, one thing I changed in my script(s) was to use my session variables. Before, I was sending a uid in the javascript and then sending that to "somescript.php". Instead, I'm keeping all identifications "internal". The only other thing I could think about was creating arrays of valid parameters and validating against that array.

Maybe I'm just thinkin too hard...
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Is $_GET secure?

Post by superdezign »

Using anything less than a hashed password or unique randomly generated identification code is too little for client-side programming, security-wise. You have to use methods of identifying users by something that cannot be easily replicated and something that is not available for public display in any way.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is $_GET secure?

Post by Mordred »

Wrong question, I think.
The method to pass data has nothing to do with the authorization logic in your script, and it being an AJAX handler as well. Validate the input to ensure that the request comes from the right user. Post some code if you have doubts.

@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Is $_GET secure?

Post by superdezign »

Mordred wrote:@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).
Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.
User avatar
Arocity
Forum Newbie
Posts: 15
Joined: Tue Jun 10, 2008 8:30 am
Location: Washington, DC

Re: Is $_GET secure?

Post by Arocity »

I see what you mean Mordred. That's pretty much what I'm referring to. I'm actually authenticating against Windows AD (ugh). That way there won't be any duplicate users. So if they successfully authenticate, I just set the session variable "em_id" to the username they used to login.

Code: Select all

 
if ($_POST["adUser"] != "" && $_POST["adPassword"] != "")
{
    #Line 203 
    #D:\Portal\ASF\Apache\conf\httpd.conf.LDAP
    
    $adServer = "www.ihateiis.com";
    
    $p_adUser       = addslashes($_POST["adUser"]);
    $p_adPassword   = addslashes($_POST["adPassword"]);
    
    $adUser = $p_adUser;
    
    $adPassword = $p_adPassword;
    
    // Connect to the directory server.
    $ad = ldap_connect("ldap://" . $adServer) 
    or die("Couldn't connect to AD!");
    
    ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
 
    if ($ad)
    {
        $bd = ldap_bind($ad, $adUser, $adPassword);     // Bind to the directory server.
 
    if ($bd)
    {
        $_SESSION["em_id"] = $p_adUser;         //Let's save the username
        $em_id = $_SESSION["em_id"];
 
        $_SESSION["logged_in"] = 1;
        $format = "Y-m-d H:i:s";
        $timestamp = date("$format");
        
 
        $db->query("UPDATE employees SET last_login = '$timestamp' WHERE em_id = '$em_id'");
        echo "<br /><br />You are now logged in as <b>$p_adUser</b>.";
    }
        else
        {
            $msg = "Your login information in invalid. Try again.<br /><br />";
            show_form("f_login",$msg);
        }
    
    ldap_unbind($ad);   
    }
}
 
User avatar
Arocity
Forum Newbie
Posts: 15
Joined: Tue Jun 10, 2008 8:30 am
Location: Washington, DC

Re: Is $_GET secure?

Post by Arocity »

Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.
So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is $_GET secure?

Post by Mordred »

The login looks okay (but I don't know anything about ldap and the possible dangers, so don't take my oppinion on that), but I thought your problem was with the ajax handler, rather show that one.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Is $_GET secure?

Post by superdezign »

Arocity wrote:So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?
Right. Except, it'd be better to use an ID that wouldn't remain static from one login to another, sort of like "Remember Me" functions work in systems like phpBB.
LBmtb
Forum Newbie
Posts: 23
Joined: Wed May 14, 2008 11:14 am

Re: Is $_GET secure?

Post by LBmtb »

Arocity wrote:
Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.
So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?
If you do that, make sure to also protect against session based attacks (hijacking and fixation).
Post Reply