Jump to content

Recommended Posts

I am new to PHP and have been using it primarily with mysql.  I have a login form and I use sessions for each PHP page in the web site.  A couple questions:

 

1.  Some of my PHP pages have inputs like 'user_id' i.e. doSomAction.php?user_id=john.  Now if someone from the outside wants to access this page, they could type in the URL directly and try to add in the user_id=john in the URL or other ids.  So, if this page has features like updating the DB etc., a hacker could then populate the DB.  I want to prevent this.  I thought about checking the $_SESSION variables to check if a user is logged in to prevent outside hackers.  However, if a hacker is registered in the system, he could login and then try to access the PHP directly with the URL with user_id='john'.  What are some other options?

 

Thanks

Anita

Link to comment
https://forums.phpfreaks.com/topic/48836-php-security-question/
Share on other sites

Use post data, that will hide the user_id from the url.

 

Also I would make sure to use a password, not just a userid. Once the user is logged in store his ID in the session variable or a cookie to pass it along from page to page for verification. I would also store his password (md5 hashed of course) in there too for double verification.

Link to comment
https://forums.phpfreaks.com/topic/48836-php-security-question/#findComment-239359
Share on other sites

Also, i always put this at the top of any pages that need the user to be logged in.

This code prevents the page being accessed directly.

 

<?php
header("Cache-control: private");
if (!$_SESSION['username']) {
    echo "You're not logged in!";
    include("index.php");
    exit();
}

Link to comment
https://forums.phpfreaks.com/topic/48836-php-security-question/#findComment-239361
Share on other sites

i agree with the don't use GET use POST but its still pretty easy to alter a POST as well as a GET,

 

of course the first attack is the login screen, as soon a member see's a user_id or something like that they will try to exploit it, if you do use the user_id in a get or post then you must verify it after, (personally i would use a session)

Link to comment
https://forums.phpfreaks.com/topic/48836-php-security-question/#findComment-239364
Share on other sites

Best is to combine both approaches.  Post hides the data from the URL when logging in, and sessions keep the "logged in status" stored on php's side, rather than alterable by the user.  For high security applications, SSL (in addition to the other two techniques) will prevent the post data from being intercepted while travelling over the network.

Link to comment
https://forums.phpfreaks.com/topic/48836-php-security-question/#findComment-239478
Share on other sites

Another think I like to do is to use:

 

$_SESSION['userid'] = "$userid"; //Nothing new there

 

$scheck = (md5($userid));

 

$_SESSION['log'] = "$scheck";

 

Now here is one way to prevent spoofing:

 

if($SESSION[log] == (md5($_SESSION[userid])) {

    //Do user's stuff here

}

 

else {

  echo "Oops, an error occured, please try logging in again";

    unset($_SESSION['userid']);

}

 

It checks the hash of the userid against a newly created hash of the $_SESSION id, if they don't match, $_SESSION id is unset and the person will have to login in again, this will deter most curious hackers and crackers...

 

On another note, please do not store $_SESSIONS in the default /tmp directory, make a folder above your public html folder and give it a name that will not lead one to beleive there is anything of value in there.

Link to comment
https://forums.phpfreaks.com/topic/48836-php-security-question/#findComment-239631
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.