Jump to content

Archived

This topic is now archived and is closed to further replies.

Bl4ckMaj1k

Hide URL but still keep $_GET variables

Recommended Posts

Hi all. I have a question and don't know if it belongs in the PHP section or the Javascript section so I apologize in advance if I am in the wrong place. Basically what I am trying to do is change a URL with the following variables

 

index.php?id=16&?pid=23-P27-16&cid=1324353245

 

to something more secure....like

 

index.php

 

I think doing it this way would add an extra layer of security to my website. If this is not possible, is there a way I can track whether or not a user attempted to edit something in the URL. For example, if the cid=13243543 and they go in a change it to 13243654 instead, can I have PHP check that? I have a great deal of security already, but I think this would truly be the highest layer, completely controlling what happens in the user's address bar.

 

As always, thanks in advance!

 

Bl4ck Maj1k

Share this post


Link to post
Share on other sites

use POST + SSL is a more secure way to transfer data instead of GET

Share this post


Link to post
Share on other sites

you could use a post request or mod_rewrite

Share this post


Link to post
Share on other sites

OK I am not that advanced....kinda newb. Do you guys mind giving an explanation? I understand $_POST but how would I retreive a stored $_POST variable? And how would the SSL work?? Also confused about the mod_rewrite function. If you can give a few examples that would be great!!!! Thanks again.

 

Bl4ck Maj1k

Share this post


Link to post
Share on other sites

for a quick lesson on the apache mod_rewrite module...read here

Share this post


Link to post
Share on other sites

Please define your meaning of "retreive a stored $_POST variable"

 

$_POST variable is the same as a normal PHP variable.

 

SSL: http://www.flatmtn.com/article/setting-ssl-certificates-apache

 

Thanks for the links to tuts guys! I have them bookmarked and already started trying a few things here and there. Mod_rewrite is ridiculous!!!

 

As for the 'retreive a stored $_POST variable', what I mean is this...

 

When something is under the $_POST array, how can you pull that from a URL? For example, if I have a variable of id in the URL, can I say the following:

 

$user_id = $_POST['id'];

 

That's basically what I mean. I thought this could only be achieved through the $_GET method.

Share this post


Link to post
Share on other sites

Well if you insist show in the URL, then it is a GET request.

 

If you want to check whether the user has enter 13243654 instead 13243653 then you have to check after the variable being passed to index.php, if the URL is type out by the user.

Share this post


Link to post
Share on other sites

What makes you think that using $_GET is insecure? I can manipulate $_POST as much as I could with $_GET even if you add SSL. Your real core problem is that you should sanitize and validate your data before using it.

Share this post


Link to post
Share on other sites

What makes you think that using $_GET is insecure? I can manipulate $_POST as much as I could with $_GET even if you add SSL. Your real core problem is that you should sanitize and validate your data before using it.

 

Absolutely.

 

use POST + SSL is a more secure way to transfer data instead of GET

 

That is garbage.

Share this post


Link to post
Share on other sites

What makes you think that using $_GET is insecure? I can manipulate $_POST as much as I could with $_GET even if you add SSL. Your real core problem is that you should sanitize and validate your data before using it.

 

Sanitize and Validate??? Hmm maybe I am already doing this. What does this consist of? I Google'd but I am guessing you are using some PHP slang. do you mind explaining?

 

Also, I agree that $_GET and $_POST are both just as secure or just as insecure as one another....that's not what I am referring to. I am referring to the fact that I have my system set up in such a way where I am storing variable values in my URL. Unfortunately what this does is allows other people to see those variables as well. I just need a way to hide this from the public eye. If I can't hide this, I just need a way to say, "Hey!!! Don't edit the URL A****LE!!!!". I'm sure you get my drift.

 

Bl4ck Maj1k

Share this post


Link to post
Share on other sites

Using POST vs GET isn't going to matter much in terms of data tampering. GET variables may be easier to mess with since they're in the URL. But POST variables, while hidden during the transfer, can still be tampered with fairly easy. One way would be to just download your form's source code, modify it as needed, and hit the submit button.

Share this post


Link to post
Share on other sites

Sanitation is making sure that no illegal characters are submitted.  This includes things that could hi-jack your database, inject code into your database, insert cross site scripts into your pages, or upload files to your server.

 

Validation is making sure that you are getting the desired results.  Numbers should be numbers, letters should be letters, emails should follow the email format, dates should follow the date format, etc.

Share this post


Link to post
Share on other sites

I still don't fully understand why you would want to do this, but what you are saying is that you don't want anyone to access information unless you specifically provide them with an HTML link to the information.  That's not security.  The only way that comes to mind is adding the allowable values to the session and checking on the next page.  Assuming you are getting these from a database or somewhere in an array and outputing links:

 

//page1.php
$_SESSION['cids'] = array();

foreach($rows as $row) {
   $_SESSION['cids'][] = $row['cid'];
   echo '<a href="page2.php?cid=' . $row['cid'] . '">click</a><br>';
}

 

//page2.php
if(!in_array($_GET['cid'], $_SESSION['cids'])) {
   //error
}
$_SESSION['cids'] = array();
//let em get the information

Share this post


Link to post
Share on other sites

I still don't fully understand why you would want to do this, but what you are saying is that you don't want anyone to access information unless you specifically provide them with an HTML link to the information.  That's not security.  The only way that comes to mind is adding the allowable values to the session and checking on the next page.  Assuming you are getting these from a database or somewhere in an array and outputing links:

 

//page1.php
$_SESSION['cids'] = array();

foreach($rows as $row) {
   $_SESSION['cids'][] = $row['cid'];
   echo '<a href="page2.php?cid=' . $row['cid'] . '">click</a><br>';
}

 

//page2.php
if(!in_array($_GET['cid'], $_SESSION['cids'])) {
   //error
}
$_SESSION['cids'] = array();
//let em get the information

 

This code is awesome....I will say that first. Didn't even know it was possible.

 

Anyway, this is not what I am saying I want to do. Lets take an example directly from my system and you will understand the importance of URL security for me. Lets take the example that there are 3 employees in the system.

 

Employee 1

Employee 2

Employee 3

 

There are 2 Companies in the system

 

Company 1

Company 2

 

Companies are assigned employees. We will distribute our employees like so:

 

Company 1

Employee 1 and Employee 3

 

Company 2

Employee 2

 

Now each company is assigned several different projects. Lets create a couple projects and give them all IDs. We will say IDs are generated based on ID of project created in the database and company it belongs to. (Example, if we are dealing with company 2 project 6, the ID would be 2-6. This way each project ID remains unique.)

 

Company 1

Project 1 - PID=1-1

Project 2 - PID=1-2

Project 3 - PID=1-3

 

Company 2

Project 4 - PID=2-4

Project 5 - PID=2-5

 

Now we have the employees that each company is associated with. Once they have been associated with a company, we can then associate them with a project within that company. So lets do that

 

Employee 1

Project 1 and 3

 

Employee 2

Project 5

 

Employee 3

Project 2

 

Now we have all the information we need to run our example of the security I need. Following my data above, lets assume I am employee 1. This means I belong to company 1 and I should only be able to view projects 1 and 3. So when I click my URL, I will get the following information using the $_GET function in the PHP of the code and store those variables into local variables. My link will look like this

 

proj_prof.php?eid=1&cid=1&pid=1-1

 

Now this is captured by me clicking on a link in the previous page, whatever that may be. Somewhere on that page I do a $_GET['eid'], $_GET['cid'], and lastly a $_GET['pid']. I store those in local variables. So if I link to the following page and do some sql statement, I make sure results are only associated with that project, that employee, that company. Now I have stored the employee ID and company ID in $_SESSION and transferred them to local PHP variables as those will never change. An employee will always, as long as he/she is logged into his/her account, will belong to the same company, have the same user ID. On the other hand, projects are created on the fly. Employees are assigned new projects randomly. They won't know when they are to work on a new project until the project is assigned to them. With that being said, here is what I am afraid of.

 

Employee 1 and 3 work for the same company. However, Employee 3 has access to a project that Employee 1 does not. Project 2. Now if I am employee 1, and I know anything about PHP, I can simply go to any project that I do have access to. Then, in the URL, I can simply change the value of pid from 1-3 to 1-2. This will direct me to all the information being pulled thats associated with the project ID of 1-2, even though I don't have access. This is where I need to say "Hey A****LE!!!! Get out of that URL!!!!!".

Share this post


Link to post
Share on other sites

The only reliable and scalable way is to have all of this information properly related in a database.  Then, when a page is requested with a pid, you query for the pid and see if it assigned to the user.  If not, display an error.

 

You need to get this structured in your database before you go any farther.

Share this post


Link to post
Share on other sites

Darnnnn!!!! I figured someone would say the answer I was dreading the whole time. And I know you are right, this would actually be much easier if I just checked the assigned project with some record in the database and ensure that the $_GET['pid'] was equal to whatever is in the database. The only question is, would it be a good idea to query a table in the database every time a new page is loaded? That's ultimately what we are saying. I have a table that I have my employees related to all the projects. There is a field for project ID and a field for employee ID. So what I would do is say the following (note this is a question)

 

$current_proj_id = $_GET['pid];
$current_employee_id = $_SESSION['eid'];

$query = "SELECT project_id FROM someTableWithEmps&Projs WHERE proj_id='$current_proj_id' AND employee_id = '$current_employee_id' ";

$sql = mysql_query($query) or die (mysql_error());

$row_count = mysql_num_rows($sql);

if ($row_count <='0') {
//some error
}

Share this post


Link to post
Share on other sites

you are correct. you must test every parameter and its value is valid. you can mod-rewrite your urls to hide the parameter names i.e

 

foobar.php?pid=1&eid=2&name=neil

 

could be rewritten as

 

/foobar/1/2/neil

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.