Is $_POST secure?

[php_novice2007]

Hi,

 

Say I've got a php page a.php, and in it I have the session start and validate that it is an authorized user etc.. and in a.php I have a form which posts to b.php. In b.php do I need to have the session things again? b.php will use the data from a.php to do processing, and I'm using all the isset($_POST[..]), if its not set it means that an unauthorized person tried to access b.php right?

 

Thanks

[tibberous]

They could set POST and visit b, the user can set POST to anything, so to answer your question, no.

[Fadion]

Use post for sending data but sessions for user authorization. Instead of checking post, check if a session exists.

 

session_start();
if(isset($_SESSION['user'])){
    echo "Welcome " . $_SESSION['user'];
} else{
    die("access denied");
}

[Fadion]

Also to extend the idea about security, u could send the encrypted user's password and id to a session variable and in each page which needs authorization u can compare those values with the db ones.

 

set the session

$id = $row['id'];
$pass = $row['pass'];
$sess = $id . "." . $pass;
$_SESSION['user'] = $sess;

 

validate the session

if(isset($_SESSION['user'])){
     $sessVal = explode('.', $_SESSION['user']);
     $query = mysql_query("SELECT * FROM users WHERE id='{$sessVal[0]}' AND pass='{$sessVal[1]}'");
     $nrRows = mysql_num_rows($query);
     if($nrRows == 1){
            //code
     } else{
           die('no access here');
     }
}

[keeB]

That second approach adds a lot of overhead for limited/no added security.

 

Upon successful login:

 

<?php
session_start();
$_SESSION['user'] = $registered;
?>

 

Problem solved

 

[NArc0t1c]

Someone could easily make a script to post to b.php.

Why not just check the referrer?

if ($_SERVER['HTTP_REFERER'] !== $_SERVER['HTTP_HOST']){
echo 'Please do not use proxies.'; }

 

I would also suggest that you encrypt sessions, because they could upload a php script to view/edit sessions(I had that happen to me before), but that's if you want strict security(and also get stronger/anonymous passwords).

 

[php_novice2007]

Its just that I'm writing a site where there are 3 types of users:

 

public, owner, and admin.

 

And for each of them they can fill in a form which allows them to access the database to extract info, depending on the type of user, they may not have access to some of the tables. So essentially I've got 3 copies of the same code, and I was just wondering if I can just use 1 copy instead since things are being posted anyway..

 

Thats alright I'll just copy and past everything. Just makes maintainence a bit difficult lol..

 

 

[NArc0t1c]

Why not search all three tables for the user?

I think a join would do.