Is $_GET secure?
Moderator: General Moderators
Is $_GET secure?
So I'm doing some basic ajax stuff, and I had a thought that perplexed me a little. What steps can I take to prevent somebody from simply checkin' source code for the xternal ajax script (i.e. someAjaxRequest.open("GET", "somescript.php" + SomeQueryString, true)) and updating somebody else's info? For example, one thing I changed in my script(s) was to use my session variables. Before, I was sending a uid in the javascript and then sending that to "somescript.php". Instead, I'm keeping all identifications "internal". The only other thing I could think about was creating arrays of valid parameters and validating against that array.
Maybe I'm just thinkin too hard...
Maybe I'm just thinkin too hard...
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Is $_GET secure?
Using anything less than a hashed password or unique randomly generated identification code is too little for client-side programming, security-wise. You have to use methods of identifying users by something that cannot be easily replicated and something that is not available for public display in any way.
Re: Is $_GET secure?
Wrong question, I think.
The method to pass data has nothing to do with the authorization logic in your script, and it being an AJAX handler as well. Validate the input to ensure that the request comes from the right user. Post some code if you have doubts.
@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).
The method to pass data has nothing to do with the authorization logic in your script, and it being an AJAX handler as well. Validate the input to ensure that the request comes from the right user. Post some code if you have doubts.
@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Is $_GET secure?
Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.Mordred wrote:@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).
Re: Is $_GET secure?
I see what you mean Mordred. That's pretty much what I'm referring to. I'm actually authenticating against Windows AD (ugh). That way there won't be any duplicate users. So if they successfully authenticate, I just set the session variable "em_id" to the username they used to login.
Code: Select all
if ($_POST["adUser"] != "" && $_POST["adPassword"] != "")
{
#Line 203
#D:\Portal\ASF\Apache\conf\httpd.conf.LDAP
$adServer = "www.ihateiis.com";
$p_adUser = addslashes($_POST["adUser"]);
$p_adPassword = addslashes($_POST["adPassword"]);
$adUser = $p_adUser;
$adPassword = $p_adPassword;
// Connect to the directory server.
$ad = ldap_connect("ldap://" . $adServer)
or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
if ($ad)
{
$bd = ldap_bind($ad, $adUser, $adPassword); // Bind to the directory server.
if ($bd)
{
$_SESSION["em_id"] = $p_adUser; //Let's save the username
$em_id = $_SESSION["em_id"];
$_SESSION["logged_in"] = 1;
$format = "Y-m-d H:i:s";
$timestamp = date("$format");
$db->query("UPDATE employees SET last_login = '$timestamp' WHERE em_id = '$em_id'");
echo "<br /><br />You are now logged in as <b>$p_adUser</b>.";
}
else
{
$msg = "Your login information in invalid. Try again.<br /><br />";
show_form("f_login",$msg);
}
ldap_unbind($ad);
}
}
Re: Is $_GET secure?
So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.
Re: Is $_GET secure?
The login looks okay (but I don't know anything about ldap and the possible dangers, so don't take my oppinion on that), but I thought your problem was with the ajax handler, rather show that one.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Is $_GET secure?
Right. Except, it'd be better to use an ID that wouldn't remain static from one login to another, sort of like "Remember Me" functions work in systems like phpBB.Arocity wrote:So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?
Re: Is $_GET secure?
If you do that, make sure to also protect against session based attacks (hijacking and fixation).Arocity wrote:So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.