sandrob57 Posted August 15, 2007 Share Posted August 15, 2007 ok, im going to have an array to show how many "technologies" a user has unlocked. $user['tech'] ^^ that would mean the user has no technologies $user['tech'][1] = 1 $user['tech'][2] = 1 $user['tech'][4] = 1 ^^ that would mean tech's 1,2 and 4 are unlocked How the data is stored is db for the example above is like this: [user_id][tech_id] 1 1 1 2 1 4 To set the variable $user['tech'], i just do a querry/array of all the rows in the db where there is your user_id Then I do a for_each for the database result and it will set $user['tech'][THE TECH ID] = 1 However, couldn't someone just go to "mysite.com/index.php?user['tech']['8'] = 1" and suddenly have tech 8? How do I avoid this? Can I delete an array before playing with it? Is there a smarter way to get this data? Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/ Share on other sites More sharing options...
jcombs_31 Posted August 15, 2007 Share Posted August 15, 2007 are you pulling data from $_GET? and then inserting into your DB. I assume the answer is no and the browser won't even display those characters in the url. I don't see how they could change their status this way. Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/#findComment-324156 Share on other sites More sharing options...
sandrob57 Posted August 15, 2007 Author Share Posted August 15, 2007 No, but you see, it doesn't set EACH variable. If you dont have ID 8 in your database (as purchased), then it woudl leave it blank. Example: $user['tech'][6] = 1 $user['tech'][7] = 1 $user['tech'][9] = 1 8 Isn't set, so it ins't purchased. Then someone could just put "user['tech'][8]=1" in the URL and have it. Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/#findComment-324165 Share on other sites More sharing options...
jcombs_31 Posted August 15, 2007 Share Posted August 15, 2007 you still don't make sense. how is entering that information into the url going to enter it into your DB? Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/#findComment-324168 Share on other sites More sharing options...
sandrob57 Posted August 15, 2007 Author Share Posted August 15, 2007 It wont, but, on the page, where it will show if you have techs or not (and do stuff depending on it) it will think you have a tech when you dont. Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/#findComment-324187 Share on other sites More sharing options...
dbo Posted August 15, 2007 Share Posted August 15, 2007 I don't think you have anything to worry about if you're not using the query string. Perhaps try to "hack" it as you think could be done and see what happens. If you continue to have errors give us an example and some code and perhaps we can help you out. Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/#findComment-324222 Share on other sites More sharing options...
Ferdog Posted August 15, 2007 Share Posted August 15, 2007 You could always initialize your array before using it which effectively erases any injected values. Something like: $myarray = array(); Link to comment https://forums.phpfreaks.com/topic/64962-array-security-question/#findComment-324251 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.