View Full Version : Looking for comments on my security strategy

01-17-2010, 07:33 PM

I have a PHP/MySQL app I'm looking to market. I'm using a single MySQL database/file set to (hopefully) serve many seperate customers, each having multiple users. Obviously, I need to secure one customers data set from another.

Nothing hugely complicated in the app. I have lists of records folks can click on to then view detail. I have forms folks can use to edit single records, posting to a seperate page that runs the database update. The DB will contain some financial info, people's names. Nothing major scary like SSN's or bank accounts.

So I use many GET vars on the lists such, including the ID's of the database rows so I can call them on the related detail page to pull the record. I use POST variables in the forms, etc.

Each customer has a unique ID in the database. When they logon, I store this ID in a session variable. Whenever a row is added to any table, I store that ID in the record. So whenever they request data, I only pull those records containing that customers ID stored in the session variable. Such is my security so far.

My primary security concern is obviously the GET variables being revealed in the URL.

I've spent hours online trying to determine best methods of encrypting this info, hiding this info, mode_rewrite, etc. I keep coming back to the thought that perhaps the best approach is to drop the thought of obscuring/hiding the data, which I figure evildoers could eventually work around, and attempting to knock them off at the database processing stage instead, validating all DB calls before they are made. I'm interested in the opinions of the many many folks much smarter than I in this strategy.

When users click on a contacts name in a list, I simply embed the contact's ID in the URL, then pick that up in my "select" query when the "detail" page is called, ie. contact_detail.php?contact_id=1. Solution: The original list was based on a query with dynamic "where" attributes. Store those attributes in a session variable on the page where the list is generated. On the process page, rerun the query based on the session variable values then compare the GET variable value against those results. If there's a match, run the query, if not, toss the user out.

Same solution really applies everywhere, even on posts where I use hidden fields to pass those record ID's. Write those hidden values as well to session, and compare the resulting POST values on the process page to the session values. If they match run it, if not, toss the user out.

Any thoughts on this would be appreciated - whether good idea, bad idea, or whether there is another approach I should be considering.

Thanks for any opinions.

01-17-2010, 08:22 PM
I wouldn't carry anything in the URL at all. Use sessions to keep track of the things you need carry between the pages of your site.