...

View Full Version : Found Another PHP Session Issue



nani_nisha06
11-09-2012, 08:01 PM
HI Friends,

I have created a basic web script which as a Admin & user power modes.

so, Now my problem is if any of the users, I mean Admin/User is entering the path of the script directly in the url field while in the session that is getting executed.

For example:

I have a table with the delete option and unique id.

if Admin want to delete the row of that unique Id, he can just push delete button which is connected to delete.php?id=123 i.e, www.mysite.com/delete.php?id=123 will get executed and the command in that script will delete that particular id row.

On the second point I have create a control for user to avoid deleting.

now, in case if user observed the path www.mysite.com/delete.php?id=123 and he change it www.mysite.com/delete.php?id=124 & execute...the script is getting executed directly with out pushing the delete button so, now i want this to be avoided.

above direct script url execution happening for both Admin & User....Now, How can I restrict this case?

Any Thoughts, Please help me !!!

Regards,
Nani

Redcoder
11-09-2012, 08:30 PM
You need to add a check in delete.php or the 'id' GET variable. If the 'id' variable is set, before any other action can be taken, the user's session is checked whether he is an admin or not.

You have to add session_start() at the top of your scripts to prevent headers already sent errors.

Here i'm guessing that when starting the session during login you give the user variable that shows whether he is an admin or normal user. In the below cas $_SESSION['user_type']




<?php
session_start();

if(!empty($_GET['id'])
{

if($_SESSION['user_type'] == "admin")
{

//execute the code that deletes stuff from mysql database

}

else
{

//Tell user that page doesn't exist then redirect him back home.

}

}

?>

nani_nisha06
11-09-2012, 08:53 PM
You need to add a check in delete.php or the 'id' GET variable. If the 'id' variable is set, before any other action can be taken, the user's session is checked whether he is an admin or not.

You have to add session_start() at the top of your scripts to prevent headers already sent errors.

Here i'm guessing that when starting the session during login you give the user variable that shows whether he is an admin or normal user. In the below cas $_SESSION['user_type']




<?php
session_start();

if(!empty($_GET['id'])
{

if($_SESSION['user_type'] == "admin")
{

//execute the code that deletes stuff from mysql database

}

else
{

//Tell user that page doesn't exist then redirect him back home.

}

}

?>



thanks redcoder,

But this thing cannot stop the issue.

How about using rand function by extending the url value & then if re-entered the same number can expire the url value right???

any thoughts on this ??

Regards,
Nani

tangoforce
11-09-2012, 09:27 PM
But this thing cannot stop the issue.

Yes it will. You just need to set your session data when the user logs in.

Redcoder
11-09-2012, 09:50 PM
thanks redcoder,
How about using rand function by extending the url value & then if re-entered the same number can expire the url value right???


Thats unnecessary. Set session data as advised above on login.

nani_nisha06
11-10-2012, 07:11 AM
Thats unnecessary. Set session data as advised above on login.

Redcoder,

Okay agree this can be stoped if I add the user_type as you told in the above post....but, this may lead to another 2 issues.

Case 1: This may only allow the admin to executed but, if same user need to do it will not allow.

case 2: If admin type the script path directly it still get executed....which either user or admin should not able to do.

Any comments...

Regards,
Nani

Custard7A
11-10-2012, 11:37 AM
Interesting proposition. The way I see it, a script that executes by being "viewed" will always be available for direct access, and anyone with the prerequisites will be able to execute it as such. This isn't usually considered a problem per se, because you define the prerequisites, those people usually have easier methods (Like, pressing the buttons), and if they do go and execute it directly it's usually nothing they couldn't have done anyway.

Can't the POST method send data that isn't shown in the URL though? Perhaps you could be using that.

One last thing I'd like to pass on, I heard it somewhere else (..And it seemed smart). It's usually a good idea to make things only appear deleted, when being deleted by users, moderators, or anyone not explicitly trusted. For example, only moving the row to a table flagged as deleted data, so if someone abuses your script the damage can be undone.

tangoforce
11-10-2012, 01:53 PM
Case 1: This may only allow the admin to executed but, if same user need to do it will not allow.

Thats not an issue. The issue is that you haven't planned out your site and its logic properly if you want admins and users to be able to have the same permission sometimes but not others.



case 2: If admin type the script path directly it still get executed....which either user or admin should not able to do.


So stop using _GET requests then. No more hyperlinks, use buttons, forms and _POST instead. That means that visiting the link directly will not work because the script will be looking for a button submission instead of a link.

To be honest though, you need an ACL / permissions system. There are plenty of ACL examples out there on google.

tangoforce
11-10-2012, 01:55 PM
One last thing I'd like to pass on, I heard it somewhere else (..And it seemed smart). It's usually a good idea to make things only appear deleted, when being deleted by users, moderators, or anyone not explicitly trusted. For example, only moving the row to a table flagged as deleted data, so if someone abuses your script the damage can be undone.

Yes a column called deleted with a tinyint default as 0. When deleting, set this to 1. In the query.. where <whatever> and deleted = '0'. It is also useful to have a delete_time column so that you can delete stuff thats been deleted for a month while keeping any newer deletes.

Redcoder
11-11-2012, 03:36 AM
I do not know why you would want to allow a link with a GET variable to be clicked and instructions executed while the same link entered directly on the address bar is not allowed. That is NOT POSSIBLE and does not add up why you don't want it that way. It does not make a difference. Use POST with a hidden input value instead.

nani_nisha06
11-11-2012, 07:36 AM
I do not know why you would want to allow a link with a GET variable to be clicked and instructions executed while the same link entered directly on the address bar is not allowed. That is NOT POSSIBLE and does not add up why you don't want it that way. It does not make a difference. Use POST with a hidden input value instead.

Redcoder Or all,

I am sorry I think their is some miss communication....to be clear I am using Post method not GET.

Still I see same problem...

Nyways as tangoforce said I think I am confused my logic in planning so let me rework and see if i can stop this using any if & key element condition.

I will post and discuss any info further in the post :).

pls do keep watching....thanks for you time & As always I say your all the best people in this fourm to support newbie like me :)

I am really happy.....

nani_nisha06
11-11-2012, 07:44 AM
I do not know why you would want to allow a link with a GET variable to be clicked and instructions executed while the same link entered directly on the address bar is not allowed. That is NOT POSSIBLE and does not add up why you don't want it that way. It does not make a difference. Use POST with a hidden input value instead.

Well in another doubt.....can i have mysql_real_escape_string() to injection prevention will be enough or there is any other strong method to do this.....

tangoforce
11-11-2012, 01:00 PM
I am sorry I think their is some miss communication....to be clear I am using Post method not GET.


Erm, no you're not! You even tell us quite clearly that you are having problems with people accessing the site by its url and running the script (which is using $_GET - anything using a url is $_GET):


HI Friends,
now, in case if user observed the path www.mysite.com/delete.php?id=123 and he change it www.mysite.com/delete.php?id=124 & execute...the script is getting executed directly with out pushing the delete button so, now i want this to be avoided.

Look - delete.php?id=123

Thats a _GET request.

Redcoder
11-13-2012, 08:21 PM
Well in another doubt.....can i have mysql_real_escape_string() to injection prevention will be enough or there is any other strong method to do this.....

Use the PDO database driver with prepared statements. Its different when you're used to the mysql driver but worth learning. Its an abstraction that helps with portability and Injections.

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Fou-Lu
11-13-2012, 08:46 PM
Erm, no you're not! You even tell us quite clearly that you are having problems with people accessing the site by its url and running the script (which is using $_GET - anything using a url is $_GET):



Look - delete.php?id=123

Thats a _GET request.

If I had to guess it, _REQUEST is in use for retrieval. Works from the form, unfortunately it also works from the GET (and cookie and environment if you don't override it in 5.3.0+ request_order directive). Hence why you do not use request; always explicitly use _GET or _POST depending on what you expect input from.
This said, I'd also question the "negative" of this; it doesn't really matter if its performed via form action or via get action; you can direct connect with curl or a socket anyway and issue the same commands.

You still need to implement a privilege system from the looks of it. Input should always be considered dirty, and playing the "everyone will play nicely" will simply not work. Never trust a user. Never trust that a user will play by the rules. Enforce it instead.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum