Rick_ Posted November 19, 2008 Share Posted November 19, 2008 hey I'm new to this site, so I hope this is the right area to post this. I'm using a php file, where there are variables added to the URL, and i need it so they cannot be changed: for example, the url is: http://localhost/index.php?username=User1 is there a way to stop people just changing this to User2 for example? this data is to do with login credentials so I dont want people logging in under other people's account. I think masking the URL will only hide the information and doesnt protect it. I hope my problem is clear, and i hope you guys can help thanks Rick_ Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/ Share on other sites More sharing options...
premiso Posted November 19, 2008 Share Posted November 19, 2008 No there is not. The best way is to create a user login system which accesses a database to check credentials to secure it and once the user is successfully logged in use session on each page to see if the user is logged in. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693133 Share on other sites More sharing options...
Rick_ Posted November 19, 2008 Author Share Posted November 19, 2008 yeah i know the best way is that, but im trying to patch something together where i have a javascript that gets the login information, but passes it to php where the sessions are handled etc. thanks anyway Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693136 Share on other sites More sharing options...
limitphp Posted November 19, 2008 Share Posted November 19, 2008 maybe you could just hash the querystring and the value. like you said, it wouldn't stop people from changing it, but it would help. so you could have: http://localhost/index.php?43kl5jl45jk5klj435klj435lkj35jk=23jkh54hlk6jl0kjkgo0jkh0g Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693151 Share on other sites More sharing options...
chronister Posted November 19, 2008 Share Posted November 19, 2008 If it goes through the URL then it can be changed by the end user. You should use $_POST variables instead of $_GET variables for this sort of thing. But hashing the var as mentioned will make it pretty difficult to determine another user's name. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693161 Share on other sites More sharing options...
Rick_ Posted November 19, 2008 Author Share Posted November 19, 2008 here is an example of what im using: <script type="text/javascript" language="javascript"> var userName = "User1"; window.location = "user.php?userName=" + userName; </script> <?php $userName = $_GET['userName']; //do stuff with $userName ?> } Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693165 Share on other sites More sharing options...
limitphp Posted November 19, 2008 Share Posted November 19, 2008 actually, now that I['m thinking about it.....even if you hashed it, all someone would have to do is copy the complete URL with querystring, and bang...they become that user.... Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693167 Share on other sites More sharing options...
darkfreaks Posted November 19, 2008 Share Posted November 19, 2008 <?php $userName = mhash(mcrypt(md5(hash($_GET['userName'])))); // great way to hash //do stuff with $userName ?> Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693170 Share on other sites More sharing options...
xtopolis Posted November 19, 2008 Share Posted November 19, 2008 actually, now that I['m thinking about it.....even if you hashed it, all someone would have to do is copy the complete URL with querystring, and bang...they become that user.... ^-- correct answer No amount of hashing will secure the url. I would suggest using a different method just as premiso suggested. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693172 Share on other sites More sharing options...
Rick_ Posted November 19, 2008 Author Share Posted November 19, 2008 actually, now that I['m thinking about it.....even if you hashed it, all someone would have to do is copy the complete URL with querystring, and bang...they become that user.... ^-- correct answer No amount of hashing will secure the url. I would suggest using a different method just as premiso suggested. any suggestions? i really need information from javascript securely sent to php which i see is a huge problem Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693174 Share on other sites More sharing options...
xtopolis Posted November 19, 2008 Share Posted November 19, 2008 Javascript is not secure when you depend on the client. What are you trying to do with the username? Is it a login? Is it a profile viewer? What is the point of having javascript redirect to a url that you couldn't do otherwise with a form or link? Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693175 Share on other sites More sharing options...
Rick_ Posted November 19, 2008 Author Share Posted November 19, 2008 im trying to get the novell username off of the client (which i can do in javascript using an activex control) then i want that username to be sent to our local intranet which uses php. so i need the data obtained from JS to be able to communicate with php, and the only way I could personally think of was the $_GET method which clearly has massive security flaws. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693177 Share on other sites More sharing options...
xtopolis Posted November 19, 2008 Share Posted November 19, 2008 $_GET isn't flawed lol, just your implementation. The easiest way to go with your current implementation is to require the user to type in their password again when they are taken to the "assumed" page based of the username. I'm not familiar with Novell stuffs, so you may think about reposting a question about getting the novell login credentials to hook in with your intranet site.. But anyway, you can keep your method, just require the person to re-enter their password to confirm it's them... create a session from there etc. It will be annoying having to do it all the time, but unless you can pull the data another way, you can't guarantee it's the user you think. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693184 Share on other sites More sharing options...
Rick_ Posted November 19, 2008 Author Share Posted November 19, 2008 well we were doing this to try to bypas a dual login might try a repost then thanks for the help so far guys Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693187 Share on other sites More sharing options...
limitphp Posted November 19, 2008 Share Posted November 19, 2008 actually, now that I['m thinking about it.....even if you hashed it, all someone would have to do is copy the complete URL with querystring, and bang...they become that user.... ^-- correct answer No amount of hashing will secure the url. I would suggest using a different method just as premiso suggested. any suggestions? i really need information from javascript securely sent to php which i see is a huge problem Well, really they could only get that url with the querystring if they were sniffing your network.... I think...... I'm no hacker, but i don't think thats an easy thing to do. Or at least for an average joe like me. The only thing I can think of, is to get SSL.....and encrypt it which would take money.... other than that.....redesigning is the only way. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693477 Share on other sites More sharing options...
premiso Posted November 19, 2008 Share Posted November 19, 2008 If this is an intranet application your only worry is someone on the intranet sniffing your packets. If it is out in the open via the internet you have worries as the amount of hops you have to go through to get to the website can be a ton. Especially if that person travels. Do a tracert on the ip of your host and it will tell you how many times your connection has to be bounced off another node to reach it's destination. Each bounce could have a potential sniffer. Especially if a hacker looks at the javascript and realizes what it is doing he can easily sniff out the data. Now you could try passing it via POST over GET which is a bit more secure. I mean for the most part about 85% of webpages with a login system only use post to verify a user without SSL locked up. Rarely that data gets out. But, if you are only checking a username, post is flawed cause anyone can create a form to post to your page and be logged in. The real key is to have a verification system. As I always see, convenience for the user is 2nd to security of the user/company. If they have to type in a password to identify themselves it is worth it to secure the system that much more. At least that is my 2cents. Quote Link to comment https://forums.phpfreaks.com/topic/133272-securing-_get/#findComment-693485 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.