malakiahs Posted March 1, 2012 Share Posted March 1, 2012 I have a form that after is filled out and submitted the user is redirected to another page where the form is displayed. The way I'm doing this is by inserting the values to the database first and then pulling them out from the database to display the array in the redirected page. So that no one else sees other user's information, I am using a unique and encrypted token and storing it in both a SESSION value and in the database; I create this token and assign it to the session variable only if there are no errors in the form. In addition, I'm picking up the insert ID and also storing it as a session value as well. Before displaying anything on the next page, where the user is redirected to, it checks for the SESSION token, else the user is redirected to the previous page. On the next page, when I need to select the values from the database I include in my select query something such as "SELECT * FROM table WHERE (token='_SESSION['token'] TOKEN AND form_id='$_SESSION['form_id']) LIMIT 1" (Please note that this might not be the right syntax for the query it is just the gist of it). Now, my questions! Is this secure enough to prevent anyone from trying to see someone else's information? I'm afraid that with the current method it might be vulnerable to an SQL injection, even though i'm using a prepared mysql statement, which sanitizes all the input. Or should I use method 2, Which is to store all the information of the user from the form into the SESSION array and display the values of the session, instead of fetching the values from the database. Or is there a different way of doing this? Any comments, will be greatly appreciated. Thank you in advance for your time and help. Quote Link to comment Share on other sites More sharing options...
sunfighter Posted March 2, 2012 Share Posted March 2, 2012 The man just filled out your form. He's looking at the information. He knows what that information is. Why do you have to show it to him again? The main thing here is sanitizing the input before you put it into your database. Things to read http://php.net/manual/en/security.database.sql-injection.php http://www.readwriteweb.com/hack/2010/09/php-security-sanitizing-string.php http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/ Hope these help you. PS you can still repost the form info to him if you want, the way you said, select from the db. Quote Link to comment Share on other sites More sharing options...
malakiahs Posted March 2, 2012 Author Share Posted March 2, 2012 They need to be able to print what was submitted for verification purposes. This form does not require the use of apostrophes, so i'm doing a preg_match of only letters and numbers, in every input, and not allowing the form to go through if there is an apostrophe. I am also using a prepared statement for mysql, which will take care of the sanitation, if an apostrophe were to slip through. What I'm worried about is data being crossed from person to person if two forms were submitted at the same time. Or someone hacking the page where I'm displaying back the input that the user submitted, and see other user's information. Quote Link to comment Share on other sites More sharing options...
marcbraulio Posted March 3, 2012 Share Posted March 3, 2012 Sessions are unique to each user and because they are unrelated to any other user there is no chance of a mix up, regardless if multiple users submit the information at the same time. If I was you, I would call a session destroy after the information is displayed back to the user, just in case. If you have no need to store their information than just use sessions instead of using the database. In that case, you can't rely on prepared statements to do the sanitizing for you. Quote Link to comment Share on other sites More sharing options...
kicken Posted March 3, 2012 Share Posted March 3, 2012 Or should I use method 2, Which is to store all the information of the user from the form into the SESSION array and display the values of the session, instead of fetching the values from the database. I would do that. Just shove $_POST into your session under a key, then pull the values out of there. That way there is no way for a user to access anything other than what they submitted. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 3, 2012 Share Posted March 3, 2012 I'm afraid that with the current method it might be vulnerable to an SQL injection, even though i'm using a prepared mysql statement Prepared statements make the query safe internally, so you do not have to worry about SQL injection. Quote Link to comment Share on other sites More sharing options...
malakiahs Posted March 5, 2012 Author Share Posted March 5, 2012 Sessions are unique to each user and because they are unrelated to any other user there is no chance of a mix up, regardless if multiple users submit the information at the same time. If I was you, I would call a session destroy after the information is displayed back to the user, just in case. If you have no need to store their information than just use sessions instead of using the database. In that case, you can't rely on prepared statements to do the sanitizing for you. Thank you for your reply. I forgot to mention that there is an administrative side to this form, where the administrators logging in to get a list of all the forms that have been submitted. They have to see all the data of each form when they click on it. Therefore, I still have to store the information somewhere for later retrieval. I don't have a problem with this phase since I will be using the auto number key to retrieve the data from the forms submitted. What worries me is to find out what the best method is to display the user's data back so that he can print it. I still have to store the information in a database, I can't get around that. What puzzles me is which is a better method, to retrieve the information from the database and display it to the user or should I store the information in his session and not worry about pulling the records from the database? Quote Link to comment Share on other sites More sharing options...
malakiahs Posted March 5, 2012 Author Share Posted March 5, 2012 I would do that. Just shove $_POST into your session under a key, then pull the values out of there. That way there is no way for a user to access anything other than what they submitted. Thank you for your reply. That's what I am afraid of, of users being able to see other information if I do a fetch from the database and then display it. Now, is it possible for the $_SESSION variable to hold that many data for hundreds of users? Quote Link to comment Share on other sites More sharing options...
kicken Posted March 5, 2012 Share Posted March 5, 2012 Every user has their own unique $_SESSION variable. It is not shared between everyone on the site. The only way someone would be able to see someone else's $_SESSION data is through a method known as Session Hijacking which you can take measure to prevent such as verifying IP and Useragent strings. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.