Jump to content


Photo

Verifying internal link


  • Please log in to reply
6 replies to this topic

#1 gausie

gausie
  • Members
  • PipPipPip
  • Advanced Member
  • 40 posts
  • LocationA Syntax Error

Posted 05 July 2006 - 08:47 PM

Hi everyone!

Great to be back - haven't visited for quite some time - and I return with a question!

To log out of my script, you send "lo=t" to a page. However, the website I am making allows user-customisable scripts, and so anyone feeling particularly vandalous might make a "fake" link that logs the visiting user out. How can I verify that the link was from the correct area?

I have the feeling I could make use of the SID but I don't know how!

Thanks

Sam
Inner Dreams My pen is there always - as inner dreams

Just remember: united, we are an idiot

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 05 July 2006 - 08:50 PM

Can you explain this a bit better? I am having a hard time understanding.

Orio.
Think you're smarty?

(Gone until 20 to November)

#3 gausie

gausie
  • Members
  • PipPipPip
  • Advanced Member
  • 40 posts
  • LocationA Syntax Error

Posted 06 July 2006 - 06:46 AM

Ok

Well to log out, you click on a link that brings you to "index.php?lo=t"

The website has areas where users can have their own customised HTML

Somone could easily put a link like this "<a href="index.php?lo=t">Click here to go to my webpage</a>", but this link would instead log the viewer out.

How can I verify that the "Log Out" button is being pressed only from where I want it to be pressed?
Inner Dreams My pen is there always - as inner dreams

Just remember: united, we are an idiot

#4 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 06 July 2006 - 07:22 AM

echo "<a href='index.php?lo=t&sess_id=" . $PHPSESSID."'>Logout</a>";

then check to see if sess_id exists and if so check to see if it matches up with the session id

this of course assumes that your allowing of custom html does not include allowing them to insert their own php as well...
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#5 gausie

gausie
  • Members
  • PipPipPip
  • Advanced Member
  • 40 posts
  • LocationA Syntax Error

Posted 07 July 2006 - 07:09 PM

$PHPSESSID is an empty variable... I end up with the link index.php?lo=t&v= with nothing afterwards!

Thanks

Sam
Inner Dreams My pen is there always - as inner dreams

Just remember: united, we are an idiot

#6 gausie

gausie
  • Members
  • PipPipPip
  • Advanced Member
  • 40 posts
  • LocationA Syntax Error

Posted 07 July 2006 - 07:50 PM

Ok I did it using session_id() instead of $PHPSESSID

Thanks everyone!

Sam
Inner Dreams My pen is there always - as inner dreams

Just remember: united, we are an idiot

#7 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 07 July 2006 - 08:03 PM

sorry. i meant this:

echo "<a href='index.php?lo=t&sess_id=" . session_id() ."'>Logout</a>";

i usually do like this: $PHPSESSID = session_id();

Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users