Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 15 of 15
  1. #1
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    179
    Thanks
    39
    Thanked 2 Times in 2 Posts

    Found Another PHP Session Issue

    HI Friends,

    I have created a basic web script which as a Admin & user power modes.

    so, Now my problem is if any of the users, I mean Admin/User is entering the path of the script directly in the url field while in the session that is getting executed.

    For example:

    I have a table with the delete option and unique id.

    if Admin want to delete the row of that unique Id, he can just push delete button which is connected to delete.php?id=123 i.e, www.mysite.com/delete.php?id=123 will get executed and the command in that script will delete that particular id row.

    On the second point I have create a control for user to avoid deleting.

    now, in case if user observed the path www.mysite.com/delete.php?id=123 and he change it www.mysite.com/delete.php?id=124 & execute...the script is getting executed directly with out pushing the delete button so, now i want this to be avoided.

    above direct script url execution happening for both Admin & User....Now, How can I restrict this case?

    Any Thoughts, Please help me !!!

    Regards,
    Nani

  • #2
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    You need to add a check in delete.php or the 'id' GET variable. If the 'id' variable is set, before any other action can be taken, the user's session is checked whether he is an admin or not.

    You have to add session_start() at the top of your scripts to prevent headers already sent errors.

    Here i'm guessing that when starting the session during login you give the user variable that shows whether he is an admin or normal user. In the below cas $_SESSION['user_type']

    PHP Code:

    <?php
    session_start
    ();

    if(!empty(
    $_GET['id'])
      {
          
         if(
    $_SESSION['user_type'] == "admin")
             {
             
                  
    //execute the code that deletes stuff from mysql database         

               
    }

             else
                 {
           
                 
    //Tell user that page doesn't exist then redirect him back home.

                   
    }

       }

    ?>

  • #3
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    179
    Thanks
    39
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    You need to add a check in delete.php or the 'id' GET variable. If the 'id' variable is set, before any other action can be taken, the user's session is checked whether he is an admin or not.

    You have to add session_start() at the top of your scripts to prevent headers already sent errors.

    Here i'm guessing that when starting the session during login you give the user variable that shows whether he is an admin or normal user. In the below cas $_SESSION['user_type']

    PHP Code:

    <?php
    session_start
    ();

    if(!empty(
    $_GET['id'])
      {
          
         if(
    $_SESSION['user_type'] == "admin")
             {
             
                  
    //execute the code that deletes stuff from mysql database         

               
    }

             else
                 {
           
                 
    //Tell user that page doesn't exist then redirect him back home.

                   
    }

       }

    ?>
    thanks redcoder,

    But this thing cannot stop the issue.

    How about using rand function by extending the url value & then if re-entered the same number can expire the url value right???

    any thoughts on this ??

    Regards,
    Nani

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,439
    Thanks
    62
    Thanked 537 Times in 524 Posts
    Quote Originally Posted by nani_nisha06 View Post
    But this thing cannot stop the issue.
    Yes it will. You just need to set your session data when the user logs in.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    Quote Originally Posted by nani_nisha06 View Post
    thanks redcoder,
    How about using rand function by extending the url value & then if re-entered the same number can expire the url value right???
    Thats unnecessary. Set session data as advised above on login.

  • #6
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    179
    Thanks
    39
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    Thats unnecessary. Set session data as advised above on login.
    Redcoder,

    Okay agree this can be stoped if I add the user_type as you told in the above post....but, this may lead to another 2 issues.

    Case 1: This may only allow the admin to executed but, if same user need to do it will not allow.

    case 2: If admin type the script path directly it still get executed....which either user or admin should not able to do.

    Any comments...

    Regards,
    Nani

  • #7
    Regular Coder Custard7A's Avatar
    Join Date
    Jul 2010
    Location
    Australia
    Posts
    286
    Thanks
    32
    Thanked 33 Times in 33 Posts
    Interesting proposition. The way I see it, a script that executes by being "viewed" will always be available for direct access, and anyone with the prerequisites will be able to execute it as such. This isn't usually considered a problem per se, because you define the prerequisites, those people usually have easier methods (Like, pressing the buttons), and if they do go and execute it directly it's usually nothing they couldn't have done anyway.

    Can't the POST method send data that isn't shown in the URL though? Perhaps you could be using that.

    One last thing I'd like to pass on, I heard it somewhere else (..And it seemed smart). It's usually a good idea to make things only appear deleted, when being deleted by users, moderators, or anyone not explicitly trusted. For example, only moving the row to a table flagged as deleted data, so if someone abuses your script the damage can be undone.

  • Users who have thanked Custard7A for this post:

    nani_nisha06 (11-11-2012)

  • #8
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,439
    Thanks
    62
    Thanked 537 Times in 524 Posts
    Quote Originally Posted by nani_nisha06 View Post
    Case 1: This may only allow the admin to executed but, if same user need to do it will not allow.
    Thats not an issue. The issue is that you haven't planned out your site and its logic properly if you want admins and users to be able to have the same permission sometimes but not others.

    Quote Originally Posted by nani_nisha06 View Post
    case 2: If admin type the script path directly it still get executed....which either user or admin should not able to do.
    So stop using _GET requests then. No more hyperlinks, use buttons, forms and _POST instead. That means that visiting the link directly will not work because the script will be looking for a button submission instead of a link.

    To be honest though, you need an ACL / permissions system. There are plenty of ACL examples out there on google.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,439
    Thanks
    62
    Thanked 537 Times in 524 Posts
    Quote Originally Posted by Custard7A View Post
    One last thing I'd like to pass on, I heard it somewhere else (..And it seemed smart). It's usually a good idea to make things only appear deleted, when being deleted by users, moderators, or anyone not explicitly trusted. For example, only moving the row to a table flagged as deleted data, so if someone abuses your script the damage can be undone.
    Yes a column called deleted with a tinyint default as 0. When deleting, set this to 1. In the query.. where <whatever> and deleted = '0'. It is also useful to have a delete_time column so that you can delete stuff thats been deleted for a month while keeping any newer deletes.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    nani_nisha06 (11-11-2012)

  • #10
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    I do not know why you would want to allow a link with a GET variable to be clicked and instructions executed while the same link entered directly on the address bar is not allowed. That is NOT POSSIBLE and does not add up why you don't want it that way. It does not make a difference. Use POST with a hidden input value instead.

  • Users who have thanked Redcoder for this post:

    nani_nisha06 (11-11-2012)

  • #11
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    179
    Thanks
    39
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    I do not know why you would want to allow a link with a GET variable to be clicked and instructions executed while the same link entered directly on the address bar is not allowed. That is NOT POSSIBLE and does not add up why you don't want it that way. It does not make a difference. Use POST with a hidden input value instead.
    Redcoder Or all,

    I am sorry I think their is some miss communication....to be clear I am using Post method not GET.

    Still I see same problem...

    Nyways as tangoforce said I think I am confused my logic in planning so let me rework and see if i can stop this using any if & key element condition.

    I will post and discuss any info further in the post .

    pls do keep watching....thanks for you time & As always I say your all the best people in this fourm to support newbie like me

    I am really happy.....

  • #12
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    179
    Thanks
    39
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    I do not know why you would want to allow a link with a GET variable to be clicked and instructions executed while the same link entered directly on the address bar is not allowed. That is NOT POSSIBLE and does not add up why you don't want it that way. It does not make a difference. Use POST with a hidden input value instead.
    Well in another doubt.....can i have mysql_real_escape_string() to injection prevention will be enough or there is any other strong method to do this.....

  • #13
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,439
    Thanks
    62
    Thanked 537 Times in 524 Posts
    Quote Originally Posted by nani_nisha06 View Post
    I am sorry I think their is some miss communication....to be clear I am using Post method not GET.
    Erm, no you're not! You even tell us quite clearly that you are having problems with people accessing the site by its url and running the script (which is using $_GET - anything using a url is $_GET):

    Quote Originally Posted by nani_nisha06 View Post
    HI Friends,
    now, in case if user observed the path www.mysite.com/delete.php?id=123 and he change it www.mysite.com/delete.php?id=124 & execute...the script is getting executed directly with out pushing the delete button so, now i want this to be avoided.
    Look - delete.php?id=123

    Thats a _GET request.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #14
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    Quote Originally Posted by nani_nisha06 View Post
    Well in another doubt.....can i have mysql_real_escape_string() to injection prevention will be enough or there is any other strong method to do this.....
    Use the PDO database driver with prepared statements. Its different when you're used to the mysql driver but worth learning. Its an abstraction that helps with portability and Injections.

    http://net.tutsplus.com/tutorials/ph...tabase-access/

  • #15
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by tangoforce View Post
    Erm, no you're not! You even tell us quite clearly that you are having problems with people accessing the site by its url and running the script (which is using $_GET - anything using a url is $_GET):



    Look - delete.php?id=123

    Thats a _GET request.
    If I had to guess it, _REQUEST is in use for retrieval. Works from the form, unfortunately it also works from the GET (and cookie and environment if you don't override it in 5.3.0+ request_order directive). Hence why you do not use request; always explicitly use _GET or _POST depending on what you expect input from.
    This said, I'd also question the "negative" of this; it doesn't really matter if its performed via form action or via get action; you can direct connect with curl or a socket anyway and issue the same commands.

    You still need to implement a privilege system from the looks of it. Input should always be considered dirty, and playing the "everyone will play nicely" will simply not work. Never trust a user. Never trust that a user will play by the rules. Enforce it instead.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •