Jump to content

[SOLVED] Security question.

Defibber

By Defibber
in PHP Coding Help

 Share

Recommended Posts

Defibber Newbie

Defibber

Posted
Posted

I am building a dynamic site for my fire department.  I have been searching here and elsewhere for ideas and answers.  In the Public area the visitor can view a grouped list of personnel.  They click on the link and it passes the "staffID" via $_get[] to a detail page.  I have seen where people have suggested that that isn't safe because people can obviously modify the url and "go fishing" currently there is nothing that to hide in that section but what is the general thoughts? 

 

The reason I ask is in a private section I plan on setting up a database of contact information for staff and other important contact numbers (such as non-published numbers).  I am going to talk the chief into purchasing a SSL certificate and all, but will that "hide" the information in the browser to unauthorized people?  I will password protect the viewing pages but I don't want a hacker to get the contact ID and find a way to pull the information by some other way.

 

Do I have valid concerns, or am I paranoid?  I just don't want the information readily available.  I have seen where there are pro's and con's to $_POST and $_GET, would it be more secure to set the "selected" ID into a SESSION via a link?  If that is possible how would that be accomplished?  I have looked without luck.

 

Thanks

Link to comment
Share on other sites
mrdamien Newbie

mrdamien

Posted
Posted

GET and POST are not secure in any way. They both can be modified by the user.

 

Using GET is fine, as long as you validate the input for each operation/page.

 

If you validate properly, even if a hacker guesses a secret ID number, the information won't be available.

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

You're going to need to create a user/password scheme here. It's by far the easiest way and it makes the most sense.

 

When a browser requests the page index.php?page=staffID you have to make sure that user is legit... There are TONS of tutorials out there for a log in system... but even those are prone to attack.

 

Check out a tutorial, write your own, or attempt it, and come back here. We'll help you find any opening you may have forgot or not noticed :) Happy coding.

Link to comment
Share on other sites
Defibber Newbie

Defibber

Posted
  • Author
Posted

I've got the login already set up.  I guess to better explain (guess I should have done this earlier), here is a link to an existing public page: http://www.kearneyfire.org/personnel.php.  The plan is to create a "details page" for the personnel (such as picture, send message, duties and such), I have started the replacement site/page to use a link like: details.php?staffID=1, but I am trying to get ideas for the more sensitive information such as after hours contacts and such.  I have a basic knowledge of sessions, PHP and MySql.  I know how to have the detail page pull MySql with the WHERE contID = $_SESSION[contID] (or set the variable and pass it along), but I just can't figure it out how click on a link to set the session[contID] to the selected contact (or staff).

 

Hope that makes sense ::)

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

I'm not entirely following you.

 

I'm assuming you have a login/password form? All you have to do is set a session var that the user is logged in, and check for that session var every time sensitive information might be displayed.

 

echo $name . ( isset($_SESSION['loggedIn']) ? " Email: $email" : "");

 

for example

Link to comment
Share on other sites
Defibber Newbie

Defibber

Posted
  • Author
Posted

that's not quite what I was looking for...sorry if I lost you  :-[

 

This is an example of what I have employed now:

<a href="staff_detail.php?staffID=<?php echo $row_rsStaff['staffID']; ?>"><?php echo $row_rsStaff['f_name'] $row_rsStaff['l_name']; ?></a>

 

but I want to create a link that would set a SESSION such as SESSION[selected_staff] to who ever I selected  and then the detail page would set SESSION[selected_staff] for the MySQL WHERE statement.

 

I hope this clears it up :D

Link to comment
Share on other sites
tinker Member

tinker

Posted
Posted

I thought I understood your issue, yet reading through i'm less sure, however concerning this,

...people have suggested that that isn't safe because people can obviously modify the url and "go fishing"...

I considered this the other day, thinking that I should use usernames instead then they can't just increment the number to trawl the db. I liked the idea of md5'ing the identifier, but if you take an id, hash it, send it, retrieve it, compare it... it doesn't appear to be any different except theres a process being thrown in for 'good' measure. If you were to do such a thing, I might suggest salting it with the id/name of the requesting user (supposing that they are logged in).

 

 

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Well, that way works fine... you jsut have to make sure that the GET value is a number.. and everything else is fine :)

 

is_numeric() will probably help with that.

 

My solution was more along the lines of hiding the information from random visitors.

 

The only reason using the get variables are unsafe is because they can be used for injection... here's a quick example (using post instead of get, but its the same vulnerability)

 

$q = 'SELECT `accessLevel` FROM `users` WHERE `username` = \''. $_POST['user'] .'\' AND `password` = \''. $_POST['password'] .'\'';

 

Now, imagine if someone types in the password.. ' OR `username`='Administrator

 

The query now becomes

 

SELECT `accessLevel` FROM `users` WHERE `username` = 'someuser' AND `password` = '' OR `username` = 'Administrator'

 

The query will return the administractors access level, giving the attacker full access to your script...

 

This can be solved easily by sanitizing input... in this case, stripping or escaping quotes... in your case, checking to see that the Id is a number :)

 

Once this is done, using ?staffID=## is perfectly safe :)

 

If it's a page you only want certain users to see, you have to check for permission in some way. Only obscuring it's location is never smart ;)

Link to comment
Share on other sites
tinker Member

tinker

Posted
Posted

What i'm trying to prevent is, if there are multiple groups and you are only allowed to see the details of your group members, then by changing the id in the request would let you trawl the db, whereas using name would restrict you to users of which you know their login usernames (many more variations). However they can still trawl (albeit limited), therefore md5 the name with a salt of the hour/day.

 

For escaping see this.

 

Yes, GET and POST are equally abusable, there are many ways to generate POST packets, I tend to use telnet to test my security in this area...

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Again, you're simply hiding the information, not protecting it.

 

If there is something you want to protect, set up a user/password/access scheme. On the page with the info you want protected, check the access level of the current user. If it is insufficient, redirect and exit.

 

Any other way is still open to abuse. Generating dynamic links (changing salt and hash) is annoying (for those who like to use favourites).

 

Even then, its as simple as copy and pasting the link, or even viewing the history of someone that has browsed the site.

Link to comment
Share on other sites
tinker Member

tinker

Posted
Posted

He's already stated that there is a login system.

 

If your using GET or POST then the link in the bookmark will still take you to the right place, just not show the relevant info, but that should only be a single click away.

 

To complicate things even more, you could use a lookup system of ref's, where on each generation of the page a list of refs are added to a table which also ref the page with an id. These entries are then nullified or deleted once one has bee used. I can see issues, but hey if you want security... This is similar to the proper implementation of the CAPTCHA protocol.

Link to comment
Share on other sites
Defibber Newbie

Defibber

Posted
  • Author
Posted

Ok, Thanks for all of you help.  You have given me some good ideas to work with.  I don't think it will be too big of a problem to get the boss to get the SSL but I just want to make it as secure as possible.  In the past we had used a canned CMS with Security and we were still getting hacked more and more regularly so I decided to do it on my own.  I figured if I can barely get it to run  ;) then with shouldn't take much to lock someone out  ::) or at least lock it up. lol.

 

Thanks again for the help.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.