jacko_162 Posted March 24, 2010 Share Posted March 24, 2010 I have a users script where they can add content, edit and delete. but i have just found out its easy to delete another users data by typing in: "delete.php?ID=28&db=tests" is there anyway i can stop this happening, whats my best route of action? i am usings sessions so for now i have added a remove from database sql command "where ID=$ID AND member_id=$session[sESS_MEMBER_ID]" which has temporarily put a stop to it but i need it to throw up an error if the member_id doesnt match. here is my delete.php code; <?php session_start(); include('Includes/auth.php'); require_once('header.php'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs"> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf8"/> <title>Index</title> <script type="text/javascript"> <!-- function delayer(){ window.location = "tests.php" } //--> </script> </head> <body class="cloudy" onLoad="setTimeout('delayer()', 3000)"> <table width="60%" border="0" align="center" cellpadding="2" cellspacing="2"> <tr> <td width="40%" valign="top"> <div class="content-box"> <div class="content-box-header"> <h3>Your results Has Been Removed!!</h3> </div> <div class="content-box-content"> <div> <h4> </h4> <table width="100%" border="0" cellspacing="0" cellpadding="4"> <tr> <td colspan="7" valign="top"><form class="basic" action="" method="post" enctype="multipart/form-data"><!-- Default basic forms --> <div class="inner-form"> <!-- error and information messages --> <div class="notification attention png_bg"> <a href="#" class="close"><img src="img/cross_grey_small.png" title="Close this notification" alt="close" /></a> <div> Your results has been removed successfully, you will now be re-directed. </div> </div> <?php $sql = "DELETE FROM $db WHERE ID=$ID AND member_id=$_SESSION[sESS_MEMBER_ID]"; mysql_query($sql); if (@mysql_query($sql)) { echo(''); } else { echo('Error' . mysql_error()); } ?> </div> </form> </td> </tr> </table> </p> </div> </div> <!-- End .content-box-content --> </td> </tr> </table> </body> </html> is it possible to check the member_id of the results against the member_id of the session BEFORE performing the SQL query and if it matches perform the query and if not DONT perform query and throw up an echo command with error text? any help would be greatly appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/ Share on other sites More sharing options...
MatthewJ Posted March 24, 2010 Share Posted March 24, 2010 is it possible to check the member_id of the results against the member_id of the session BEFORE performing the SQL query and if it matches perform the query and if not DONT perform query and throw up an echo command with error text? yup, if($member_id == $_SESSION['member_id']) { //Delete } else { //Don't } You should replace this too $sql = "DELETE FROM $db WHERE ID=$ID AND member_id=$_SESSION[sESS_MEMBER_ID]"; mysql_query($sql); if (!@mysql_query($sql)) { echo('Error' . mysql_error()); } There is no reason to echo '' just check for failure and echo the error. Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031351 Share on other sites More sharing options...
jacko_162 Posted March 24, 2010 Author Share Posted March 24, 2010 is it possible to check the member_id of the results against the member_id of the session BEFORE performing the SQL query and if it matches perform the query and if not DONT perform query and throw up an echo command with error text? so simple dont know why my head couldnt get around it... thanks will impliment it now and hopefully my users stay happy now. yup, if($member_id == $_SESSION['member_id']) { //Delete } else { //Don't } Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031352 Share on other sites More sharing options...
o3d Posted March 24, 2010 Share Posted March 24, 2010 Even if a user is logged in he/she will still be able to delete data. My advice is to echo the id on the form in encrypted format and then parsing that encrypted data along to php to decrypt e.g. delete.php?ID=e34cb4a32&db=tests That way users won't be able to guess an id. Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031362 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 Even if a user is logged in he/she will still be able to delete data. My advice is to echo the id on the form in encrypted format and then parsing that encrypted data along to php to decrypt e.g. delete.php?ID=e34cb4a32&db=tests That way users won't be able to guess an id. how would i go about doing this in my above code? it sound more secure that way.. would i have to encrypt the ID on the view page where my delete button is linked to the delete.php page? Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031363 Share on other sites More sharing options...
o3d Posted March 25, 2010 Share Posted March 25, 2010 Even if a user is logged in he/she will still be able to delete data. My advice is to echo the id on the form in encrypted format and then parsing that encrypted data along to php to decrypt e.g. delete.php?ID=e34cb4a32&db=tests That way users won't be able to guess an id. how would i go about doing this in my above code? it sound more secure that way.. would i have to encrypt the ID on the view page where my delete button is linked to the delete.php page? Correct. check this out http://www.t4vn.net/tutorials/showtutorials/An-Introduction-to-Mcrypt-and-PHP.html Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031365 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 oooh nice. i included the class file and added the following code; <?php $crypto = new phpFreaksCrypto(); $id_encrypted = $ID; $id_encrypted = $crypto->encrypt($id_encrypted); $id_decrypted = $crypto->decrypt($id_encrypted); $crypto->__destruct(); echo 'Original: ' . $id_encrypted . '<br />'; echo 'Encrypted: ' . $id_encrypted . '<br />'; echo 'Decrypted: ' . $id_decrypted . '<br />'; ?> my ID should be 28 but i get the following output : Original: rhcCGrx9UtY= Encrypted: rhcCGrx9UtY= Decrypted: 28 how come Original: doesnt show 28 ?? Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031370 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 aaah scrap that, i got it Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031371 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 now im getting problems finding the data in database on the delete.php page am i doing something wrong in the delete.php page? from the view page i forward to: delete.php?ID=rhcCGrx9UtY=&db=tests (so the ID "28" is now being passed to delete.php as encrypted value) <?php session_start(); include('Includes/auth.php'); require_once('header.php'); require_once('Includes/phpFreaksCrypto.class.php4'); // require the phpFreaksCrypto class $crypto = new phpFreaksCrypto(); $id_to_be_encrypted = $ID; $id_encrypted = $crypto->encrypt($id_to_be_encrypted); $id_decrypted = $crypto->decrypt($id_encrypted); $crypto->__destruct(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs"> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf8"/> <title>Index</title> <script type="text/javascript"> <!-- function delayer(){ window.location = "tests.php" } //--> </script> </head> <body class="cloudy" onLoad="setTimeout('delayer()', 50000)"> <table width="60%" border="0" align="center" cellpadding="2" cellspacing="2"> <tr> <td width="40%" valign="top"> <div class="content-box"> <div class="content-box-header"> <h3>Your results Has Been Removed!!</h3> </div> <div class="content-box-content"> <div> <?php if ($id_decrypted) { $sql = "SELECT * FROM tests WHERE ID=$id_decrypted"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); $ID = $myrow["id"]; $member_id = $myrow["member_id"]; ?> <table width="100%" border="0" cellspacing="0" cellpadding="4"> <tr> <td colspan="7" valign="top"><form class="basic" action="" method="post" enctype="multipart/form-data"><!-- Default basic forms --> <div class="inner-form"> <?php if($member_id == $_SESSION['SESS_MEMBER_ID']) { $sql = "DELETE FROM $db WHERE ID=$id_decrypted AND member_id=$_SESSION[sESS_MEMBER_ID]"; mysql_query($sql); echo "<div class='notification success png_bg'><div>Your results has been removed successfully, you will now be re directed.</div></div>"; } else { echo "<div class='notification attention png_bg'><div>ERROR, these results dont belong to you, if this is your test results please contact support in relation to this error.</div></div>"; }} ?> </div> </form> </td> </tr> </table> </p> </div> </div> <!-- End .content-box-content --> </td> </tr> </table> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031376 Share on other sites More sharing options...
o3d Posted March 25, 2010 Share Posted March 25, 2010 error_log your query. Then you might have to url_encode your encrypted value. Some characters might get 'scrambled' when sent via the browser. Thus you need to url_decode your value, decrypt it and then use it in your query. Hope that makes sense. Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031378 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 haha not really. this is what i get when i echo mysql_error() "Error in you submission: . mysql_error() . SELECT * FROM tests WHERE ID=jtqd/jNeidY=" so i assume its not de_crypting the $ID found in the URL. Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031381 Share on other sites More sharing options...
o3d Posted March 25, 2010 Share Posted March 25, 2010 When you echo your encrypted id, parse it through the url_encode function. This value should appear on the form. Then when you want to use the value (as sent from the form) to delete items, you first have to url_decode, then decrypt the value and then use the decrypted value in the query. Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031382 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 When you echo your encrypted id, parse it through the url_encode function. This value should appear on the form. Then when you want to use the value (as sent from the form) to delete items, you first have to url_decode, then decrypt the value and then use the decrypted value in the query. now u lost me completely... can u perhaps post a little coding to help me understand? Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031383 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 ok on the view page i have the following code; <?php echo 'Original: ' . $id_to_be_encrypted . '<br />'; echo 'Encrypted: ' . $id_encrypted . '<br />'; echo 'Decrypted: ' . $id_decrypted . '<br />'; echo urlencode("$id_encrypted"); echo '<br />'; echo urldecode("$id_encrypted"); echo '<br />'; ?> this gives me the following output; Original: 28 Encrypted: rhcCGrx9UtY= Decrypted: 28 rhcCGrx9UtY%3D rhcCGrx9UtY= now do i pass the urlencoded version "rhcCGrx9UtY%3D" through the URL string to the delete.php page? and if so how do i decode it on the other side? Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031387 Share on other sites More sharing options...
o3d Posted March 25, 2010 Share Posted March 25, 2010 ... <!-- process sent data from form --> <?PHP if (isset($_GET['table_id'])) { $TmpEncVal = urldecode($_GET['table_id']); $DecVal = DecryptId($TmpEncVal); $sQuery = " delete from tbl_row where id = {$DecVal}"; //exec query... } ?> ... <!-- encrypt and show encrypted id on form --> <?PHP $EncVal = EncryptId(23); ?> <form> <input type="hidden" name="table_id" value="<?PHP echo urlencode($EncVal);?>"> <input type="submit"> </form> ... Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031389 Share on other sites More sharing options...
jacko_162 Posted March 25, 2010 Author Share Posted March 25, 2010 ... <!-- process sent data from form --> <?PHP if (isset($_GET['table_id'])) { $TmpEncVal = urldecode($_GET['table_id']); $DecVal = DecryptId($TmpEncVal); $sQuery = " delete from tbl_row where id = {$DecVal}"; //exec query... } ?> ... <!-- encrypt and show encrypted id on form --> <?PHP $EncVal = EncryptId(23); ?> <form> <input type="hidden" name="table_id" value="<?PHP echo urlencode($EncVal);?>"> <input type="submit"> </form> ... you the man.... problem now solved and MUCH more secure, so secure even i know the php code and my head is f****d about it cheers o3d i learnt alot in regard to encrypting and urlencoded Quote Link to comment https://forums.phpfreaks.com/topic/196430-how-to-securly-delete-items-from-database/#findComment-1031393 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.