0
I’m developing a system where every user has options to delete, add, or update, whatever. Let’s imagine that I, as a logged-in user with ID=6 have the options to delete one of my photos.
When I click on one of my photos it is through a link like this
photo_op.php?id=42&p=images/user/QzEckSX.png&o=6
where the ?id=
the image id, the &p=
the path of the image and the &o=
to whom the image belongs, in this case o=6
.
I am checking if the photo is from the logged-in user, if so then I display the options, if not then just display the image. This way:
$id_user=$_SESSION['id'];
$owner=$_REQUEST['o'];
if ($owner != $id_user){
echo "";
}else{
echo "<div id='photo_op'><a href='eliminar_photo_p.php?id=$id_photo'></a> ";
echo "<a href='add_photo_p.php?id=$id_photo'></a></div>";
}
The problem is that the user with id=11 if he "injects" the ID=6 into the link that belongs to the ID=6, the user of ID=11 has access to the user options ID=6.
What is the best way to display the options to the user without it being injected into the url?
For example, being the owner of the image I have this link:
photo_op.php?id=42&p=images/user/QzEckSX.png&o=6
But if the other id=11 user does this:
photo_op.php?id=42&p=images/user/QzEckSX.png&o=11
he will have access to the options to delete this photo to which he does not belong.
My login.php file is as follows:
<?php
include('init.php');
//echo $_POST['txtemail'];
//echo $_POST['txtpassword'];
//CONSULTA DO UTILIZADOR
$consulta="Select * from user where email='" . $_POST['txtemail'] . "' and senha='" . $_POST['txtpassword'] . "'";
$resultado=mysql_query($consulta);
if (mysql_num_rows($resultado)>0) //SE O EMAIL E A PASSWORD COINCIDIREM
{
//COLOCA NA VARIAVEL LINHA OS DADOS DA CONSULTA
$linha=mysql_fetch_array($resultado);
//COLOCA O EMAIL EM SESSAO
$_SESSION['email']=$linha['email'];
$_SESSION['username']=$linha['username'];
$_SESSION['id']=$linha['id'];
$_SESSION['status']=$linha['status'];
$_SESSION['genero']=$linha['genero'];
$_SESSION['last_login']=$linha['last_login'];
$_SESSION['nlog']=$linha['nlog'];
//REDIRECCIONA A PAGINA PARA A PAGINA SECRETA
include('q/status_update.php');
include('q/nlog_update.php');
header("location: home.php");
}
else //CASO NÃO COINCIDAM
{
//REDIRECCIONA PARA A PAGINA INICIAL REPORTANDO O ERRO
header("location: index.php?erro=1");
}
?>
My get_photos.php
is as follows:
<?php
$id_s=$_SESSION['id'];
$sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id_s";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo " <a class='galeria_p' onclick='goclicky(this); return false;' target='_blank' href='q/photo_op.php? id=".$row['id']."&p=".$row['location']."&o=".$id_s." ' ><img class='img1' width='118px' height='118px' src=".$row['location']."></a> ";
}
} else {
echo "0 results";
}
?>
Is there an authentication system? How do you know which images belong to the user? If there is an authentication system, you need to verify that the requested resource belongs to the logged-in user.
– Filipe Moraes
Yes, the user logs in, after the login I display, in this case the images, according to the logged in user id. I will fetch them in the database through the logged in user id for example:
$sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id";
and so I get photos from the logged in user– David Concha
And where is the logged in user id stored after login? You are leaving this responsibility on the client side, that is, it is the customer who informs you what your ID is. If the ID is crucial to blocking improper access, it should not be informed on the link but saved on a Session, for example, and be included in the query. Search for PHP login Session.
– Filipe Moraes
You can even keep the user ID in the URL, but don’t use it in the image search. Use to compare if the given ID is the same as the one stored in your Session, if yes, it shows the resource, if it does not show the message saying that the resource does not belong to the user.
– Filipe Moraes
Also put in the question the code where the user logs in, so I can use it to give an example of how to use a Session.
– Filipe Moraes
@Filipemoraes Amigo, thanks for your attention. I put my file
login.php
in the matter– David Concha
OK noticed, you already use Session. What is your query to fetch the image? You certainly in the table where you store the images also have the user id that it belongs to, right? Ask your image table structure (fields) and query to find the image.
– Filipe Moraes
Certo @Filipemoraes . In the table
photos
have the fielduser_id
who guards theid
the user who uploaded the photo. The query is this,$sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id";
– David Concha
Then, put in your query in the Where enclosure the following check:
user_id=$_SESSION['id']
. Post the complete code, which includes the query.– Filipe Moraes
@Filipemoraes put in question my
get_photos.php
– David Concha
Again, although I always talk here, I see a login system that saves passwords in a pure way. Besides allowing an Injection sql. : ( all your problem is in modeling, nor is it in coding, thinking wrong. If there existed in the bank a relationship between user and image, would not go through it, besides would get rid of having to pass the path of the image, since only pass the ID of the same and ID is something unique
– Renato Tavares
@Renatotavares there is a relationship between user and image, it is there in the question, see the code
get_photos.php
. However I agree with you that recording pure passwords is a security problem, but it is not the problem proposed in the question, so I did not talk about it.– Filipe Moraes
Passwords are being entered pure yes. At least for now in the test phase. When I have my complete system I will "comb through" each of the variables
– David Concha
Then pq passes the path of the photo, if by the relationship (in theory), would have all the data of the image, type description, who is the owner, who can do what with the photo.... Being this way only necessary to validate the logged in user, then know if the photo is his own, an if would already do.. but tb only I’m commenting
– Renato Tavares
Amigo @Renatotavares has some page where I could read more about it? The relationships you talk about are made directly on
PHPmyAdmin
?– David Concha
@Davidconcha basically what he’s saying is that his table of images could contain beyond the owner of the image, the directory where it is, so you don’t need to pass it in the URL, by the way, so what are you passing the directory of the image in the URL? Well, anyway we answered the initial question.
– Filipe Moraes
To use the selected image as background.
html{ background:url(<?php $photo_path=$_REQUEST['p']; echo"../$photo_path "?>) no-repeat center center fixed; 

 
}
– David Concha