PHP security question

[anita999]

I am new to PHP and have been using it primarily with mysql.  I have a login form and I use sessions for each PHP page in the web site.  A couple questions:

 

1.  Some of my PHP pages have inputs like 'user_id' i.e. doSomAction.php?user_id=john.  Now if someone from the outside wants to access this page, they could type in the URL directly and try to add in the user_id=john in the URL or other ids.  So, if this page has features like updating the DB etc., a hacker could then populate the DB.  I want to prevent this.  I thought about checking the $_SESSION variables to check if a user is logged in to prevent outside hackers.  However, if a hacker is registered in the system, he could login and then try to access the PHP directly with the URL with user_id='john'.  What are some other options?

 

Thanks

Anita

[MadTechie]

ok when they login store their user_id in a session,

 

<?php
session_start();
$_session['USERID'] = $USER_ID//<--pulled from database
?>

 

don't ever hide details (for use) in a form.

[taith]

for logins... and for all form data... never ever ever ever(get the picture?)!!! use $_GET... always send stuff via $_POST if you can...

[per1os]

Use post data, that will hide the user_id from the url.

 

Also I would make sure to use a password, not just a userid. Once the user is logged in store his ID in the session variable or a cookie to pass it along from page to page for verification. I would also store his password (md5 hashed of course) in there too for double verification.

[textbox]

Also, i always put this at the top of any pages that need the user to be logged in.

This code prevents the page being accessed directly.

 

<?php
header("Cache-control: private");
if (!$_SESSION['username']) {
    echo "You're not logged in!";
    include("index.php");
    exit();
}

[MadTechie]

i agree with the don't use GET use POST but its still pretty easy to alter a POST as well as a GET,

 

of course the first attack is the login screen, as soon a member see's a user_id or something like that they will try to exploit it, if you do use the user_id in a get or post then you must verify it after, (personally i would use a session)

[btherl]

Best is to combine both approaches.  Post hides the data from the URL when logging in, and sessions keep the "logged in status" stored on php's side, rather than alterable by the user.  For high security applications, SSL (in addition to the other two techniques) will prevent the post data from being intercepted while travelling over the network.

[rcorlew]

Another think I like to do is to use:

 

$_SESSION['userid'] = "$userid"; //Nothing new there

 

$scheck = (md5($userid));

 

$_SESSION['log'] = "$scheck";

 

Now here is one way to prevent spoofing:

 

if($SESSION[log] == (md5($_SESSION[userid])) {

    //Do user's stuff here

}

 

else {

  echo "Oops, an error occured, please try logging in again";

    unset($_SESSION['userid']);

}

 

It checks the hash of the userid against a newly created hash of the $_SESSION id, if they don't match, $_SESSION id is unset and the person will have to login in again, this will deter most curious hackers and crackers...

 

On another note, please do not store $_SESSIONS in the default /tmp directory, make a folder above your public html folder and give it a name that will not lead one to beleive there is anything of value in there.