Bl4ckMaj1k Posted May 17, 2011 Share Posted May 17, 2011 Hi all. I have a question and don't know if it belongs in the PHP section or the Javascript section so I apologize in advance if I am in the wrong place. Basically what I am trying to do is change a URL with the following variables index.php?id=16&?pid=23-P27-16&cid=1324353245 to something more secure....like index.php I think doing it this way would add an extra layer of security to my website. If this is not possible, is there a way I can track whether or not a user attempted to edit something in the URL. For example, if the cid=13243543 and they go in a change it to 13243654 instead, can I have PHP check that? I have a great deal of security already, but I think this would truly be the highest layer, completely controlling what happens in the user's address bar. As always, thanks in advance! Bl4ck Maj1k Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/ Share on other sites More sharing options...
phppaper Posted May 17, 2011 Share Posted May 17, 2011 use POST + SSL is a more secure way to transfer data instead of GET Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216317 Share on other sites More sharing options...
fugix Posted May 17, 2011 Share Posted May 17, 2011 you could use a post request or mod_rewrite Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216318 Share on other sites More sharing options...
Bl4ckMaj1k Posted May 17, 2011 Author Share Posted May 17, 2011 OK I am not that advanced....kinda newb. Do you guys mind giving an explanation? I understand $_POST but how would I retreive a stored $_POST variable? And how would the SSL work?? Also confused about the mod_rewrite function. If you can give a few examples that would be great!!!! Thanks again. Bl4ck Maj1k Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216320 Share on other sites More sharing options...
fugix Posted May 17, 2011 Share Posted May 17, 2011 for a quick lesson on the apache mod_rewrite module...read here Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216322 Share on other sites More sharing options...
phppaper Posted May 17, 2011 Share Posted May 17, 2011 Please define your meaning of "retreive a stored $_POST variable" $_POST variable is the same as a normal PHP variable. SSL: http://www.flatmtn.com/article/setting-ssl-certificates-apache Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216328 Share on other sites More sharing options...
Bl4ckMaj1k Posted May 17, 2011 Author Share Posted May 17, 2011 Please define your meaning of "retreive a stored $_POST variable" $_POST variable is the same as a normal PHP variable. SSL: http://www.flatmtn.com/article/setting-ssl-certificates-apache Thanks for the links to tuts guys! I have them bookmarked and already started trying a few things here and there. Mod_rewrite is ridiculous!!! As for the 'retreive a stored $_POST variable', what I mean is this... When something is under the $_POST array, how can you pull that from a URL? For example, if I have a variable of id in the URL, can I say the following: $user_id = $_POST['id']; That's basically what I mean. I thought this could only be achieved through the $_GET method. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216333 Share on other sites More sharing options...
phppaper Posted May 17, 2011 Share Posted May 17, 2011 Well if you insist show in the URL, then it is a GET request. If you want to check whether the user has enter 13243654 instead 13243653 then you have to check after the variable being passed to index.php, if the URL is type out by the user. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216335 Share on other sites More sharing options...
ignace Posted May 17, 2011 Share Posted May 17, 2011 What makes you think that using $_GET is insecure? I can manipulate $_POST as much as I could with $_GET even if you add SSL. Your real core problem is that you should sanitize and validate your data before using it. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216410 Share on other sites More sharing options...
JonnoTheDev Posted May 17, 2011 Share Posted May 17, 2011 What makes you think that using $_GET is insecure? I can manipulate $_POST as much as I could with $_GET even if you add SSL. Your real core problem is that you should sanitize and validate your data before using it. Absolutely. use POST + SSL is a more secure way to transfer data instead of GET That is garbage. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216421 Share on other sites More sharing options...
Bl4ckMaj1k Posted May 17, 2011 Author Share Posted May 17, 2011 What makes you think that using $_GET is insecure? I can manipulate $_POST as much as I could with $_GET even if you add SSL. Your real core problem is that you should sanitize and validate your data before using it. Sanitize and Validate??? Hmm maybe I am already doing this. What does this consist of? I Google'd but I am guessing you are using some PHP slang. do you mind explaining? Also, I agree that $_GET and $_POST are both just as secure or just as insecure as one another....that's not what I am referring to. I am referring to the fact that I have my system set up in such a way where I am storing variable values in my URL. Unfortunately what this does is allows other people to see those variables as well. I just need a way to hide this from the public eye. If I can't hide this, I just need a way to say, "Hey!!! Don't edit the URL A****LE!!!!". I'm sure you get my drift. Bl4ck Maj1k Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216614 Share on other sites More sharing options...
cyberRobot Posted May 17, 2011 Share Posted May 17, 2011 Using POST vs GET isn't going to matter much in terms of data tampering. GET variables may be easier to mess with since they're in the URL. But POST variables, while hidden during the transfer, can still be tampered with fairly easy. One way would be to just download your form's source code, modify it as needed, and hit the submit button. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216621 Share on other sites More sharing options...
jcbones Posted May 17, 2011 Share Posted May 17, 2011 Sanitation is making sure that no illegal characters are submitted. This includes things that could hi-jack your database, inject code into your database, insert cross site scripts into your pages, or upload files to your server. Validation is making sure that you are getting the desired results. Numbers should be numbers, letters should be letters, emails should follow the email format, dates should follow the date format, etc. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216639 Share on other sites More sharing options...
AbraCadaver Posted May 17, 2011 Share Posted May 17, 2011 I still don't fully understand why you would want to do this, but what you are saying is that you don't want anyone to access information unless you specifically provide them with an HTML link to the information. That's not security. The only way that comes to mind is adding the allowable values to the session and checking on the next page. Assuming you are getting these from a database or somewhere in an array and outputing links: //page1.php $_SESSION['cids'] = array(); foreach($rows as $row) { $_SESSION['cids'][] = $row['cid']; echo '<a href="page2.php?cid=' . $row['cid'] . '">click</a><br>'; } //page2.php if(!in_array($_GET['cid'], $_SESSION['cids'])) { //error } $_SESSION['cids'] = array(); //let em get the information Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216658 Share on other sites More sharing options...
Bl4ckMaj1k Posted May 17, 2011 Author Share Posted May 17, 2011 I still don't fully understand why you would want to do this, but what you are saying is that you don't want anyone to access information unless you specifically provide them with an HTML link to the information. That's not security. The only way that comes to mind is adding the allowable values to the session and checking on the next page. Assuming you are getting these from a database or somewhere in an array and outputing links: //page1.php $_SESSION['cids'] = array(); foreach($rows as $row) { $_SESSION['cids'][] = $row['cid']; echo '<a href="page2.php?cid=' . $row['cid'] . '">click</a><br>'; } //page2.php if(!in_array($_GET['cid'], $_SESSION['cids'])) { //error } $_SESSION['cids'] = array(); //let em get the information This code is awesome....I will say that first. Didn't even know it was possible. Anyway, this is not what I am saying I want to do. Lets take an example directly from my system and you will understand the importance of URL security for me. Lets take the example that there are 3 employees in the system. Employee 1 Employee 2 Employee 3 There are 2 Companies in the system Company 1 Company 2 Companies are assigned employees. We will distribute our employees like so: Company 1 Employee 1 and Employee 3 Company 2 Employee 2 Now each company is assigned several different projects. Lets create a couple projects and give them all IDs. We will say IDs are generated based on ID of project created in the database and company it belongs to. (Example, if we are dealing with company 2 project 6, the ID would be 2-6. This way each project ID remains unique.) Company 1 Project 1 - PID=1-1 Project 2 - PID=1-2 Project 3 - PID=1-3 Company 2 Project 4 - PID=2-4 Project 5 - PID=2-5 Now we have the employees that each company is associated with. Once they have been associated with a company, we can then associate them with a project within that company. So lets do that Employee 1 Project 1 and 3 Employee 2 Project 5 Employee 3 Project 2 Now we have all the information we need to run our example of the security I need. Following my data above, lets assume I am employee 1. This means I belong to company 1 and I should only be able to view projects 1 and 3. So when I click my URL, I will get the following information using the $_GET function in the PHP of the code and store those variables into local variables. My link will look like this proj_prof.php?eid=1&cid=1&pid=1-1 Now this is captured by me clicking on a link in the previous page, whatever that may be. Somewhere on that page I do a $_GET['eid'], $_GET['cid'], and lastly a $_GET['pid']. I store those in local variables. So if I link to the following page and do some sql statement, I make sure results are only associated with that project, that employee, that company. Now I have stored the employee ID and company ID in $_SESSION and transferred them to local PHP variables as those will never change. An employee will always, as long as he/she is logged into his/her account, will belong to the same company, have the same user ID. On the other hand, projects are created on the fly. Employees are assigned new projects randomly. They won't know when they are to work on a new project until the project is assigned to them. With that being said, here is what I am afraid of. Employee 1 and 3 work for the same company. However, Employee 3 has access to a project that Employee 1 does not. Project 2. Now if I am employee 1, and I know anything about PHP, I can simply go to any project that I do have access to. Then, in the URL, I can simply change the value of pid from 1-3 to 1-2. This will direct me to all the information being pulled thats associated with the project ID of 1-2, even though I don't have access. This is where I need to say "Hey A****LE!!!! Get out of that URL!!!!!". Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216674 Share on other sites More sharing options...
AbraCadaver Posted May 17, 2011 Share Posted May 17, 2011 The only reliable and scalable way is to have all of this information properly related in a database. Then, when a page is requested with a pid, you query for the pid and see if it assigned to the user. If not, display an error. You need to get this structured in your database before you go any farther. Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216682 Share on other sites More sharing options...
Bl4ckMaj1k Posted May 17, 2011 Author Share Posted May 17, 2011 Darnnnn!!!! I figured someone would say the answer I was dreading the whole time. And I know you are right, this would actually be much easier if I just checked the assigned project with some record in the database and ensure that the $_GET['pid'] was equal to whatever is in the database. The only question is, would it be a good idea to query a table in the database every time a new page is loaded? That's ultimately what we are saying. I have a table that I have my employees related to all the projects. There is a field for project ID and a field for employee ID. So what I would do is say the following (note this is a question) $current_proj_id = $_GET['pid]; $current_employee_id = $_SESSION['eid']; $query = "SELECT project_id FROM someTableWithEmps&Projs WHERE proj_id='$current_proj_id' AND employee_id = '$current_employee_id' "; $sql = mysql_query($query) or die (mysql_error()); $row_count = mysql_num_rows($sql); if ($row_count <='0') { //some error } Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216690 Share on other sites More sharing options...
JonnoTheDev Posted May 17, 2011 Share Posted May 17, 2011 you are correct. you must test every parameter and its value is valid. you can mod-rewrite your urls to hide the parameter names i.e foobar.php?pid=1&eid=2&name=neil could be rewritten as /foobar/1/2/neil Quote Link to comment https://forums.phpfreaks.com/topic/236599-hide-url-but-still-keep-_get-variables/#findComment-1216722 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.