Protect other users' user options

Asked

Viewed 35 times

0

I’m developing a system where every user has options to delete, add, or update, whatever. Let’s imagine that I, as a logged-in user with ID=6 have the options to delete one of my photos.

When I click on one of my photos it is through a link like this

photo_op.php?id=42&p=images/user/QzEckSX.png&o=6

where the ?id= the image id, the &p= the path of the image and the &o= to whom the image belongs, in this case o=6.

I am checking if the photo is from the logged-in user, if so then I display the options, if not then just display the image. This way:

$id_user=$_SESSION['id'];
$owner=$_REQUEST['o'];


if ($owner != $id_user){
    echo "";

}else{
echo "<div id='photo_op'><a href='eliminar_photo_p.php?id=$id_photo'></a> ";
echo "<a href='add_photo_p.php?id=$id_photo'></a></div>";
}

The problem is that the user with id=11 if he "injects" the ID=6 into the link that belongs to the ID=6, the user of ID=11 has access to the user options ID=6.

What is the best way to display the options to the user without it being injected into the url?

For example, being the owner of the image I have this link:

photo_op.php?id=42&p=images/user/QzEckSX.png&o=6

But if the other id=11 user does this:

photo_op.php?id=42&p=images/user/QzEckSX.png&o=11

he will have access to the options to delete this photo to which he does not belong.

My login.php file is as follows:

<?php 
include('init.php');


//echo $_POST['txtemail'];
//echo $_POST['txtpassword'];


//CONSULTA DO UTILIZADOR
$consulta="Select * from user where email='" . $_POST['txtemail'] . "' and     senha='" . $_POST['txtpassword'] . "'";
$resultado=mysql_query($consulta);
if (mysql_num_rows($resultado)>0) //SE O EMAIL E A PASSWORD COINCIDIREM
{
//COLOCA NA VARIAVEL LINHA OS DADOS DA CONSULTA
$linha=mysql_fetch_array($resultado);
//COLOCA O EMAIL EM SESSAO
$_SESSION['email']=$linha['email'];
$_SESSION['username']=$linha['username'];
$_SESSION['id']=$linha['id'];
$_SESSION['status']=$linha['status'];
$_SESSION['genero']=$linha['genero'];



$_SESSION['last_login']=$linha['last_login'];
$_SESSION['nlog']=$linha['nlog'];
//REDIRECCIONA A PAGINA PARA A PAGINA SECRETA
include('q/status_update.php');
include('q/nlog_update.php');
header("location: home.php");
}
else //CASO NÃO COINCIDAM
{
//REDIRECCIONA PARA A PAGINA INICIAL REPORTANDO O ERRO
header("location: index.php?erro=1");
}



?>

My get_photos.php is as follows:

<?php 
$id_s=$_SESSION['id'];
$sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id_s";

$result = $conn->query($sql);

if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {


echo " <a class='galeria_p' onclick='goclicky(this); return false;'   target='_blank' href='q/photo_op.php?  id=".$row['id']."&p=".$row['location']."&o=".$id_s." ' ><img class='img1'   width='118px' height='118px' src=".$row['location']."></a> ";      

}
} else {
echo "0 results";
}
?>
php

  • Is there an authentication system? How do you know which images belong to the user? If there is an authentication system, you need to verify that the requested resource belongs to the logged-in user.

  • Yes, the user logs in, after the login I display, in this case the images, according to the logged in user id. I will fetch them in the database through the logged in user id for example: $sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id"; and so I get photos from the logged in user

  • And where is the logged in user id stored after login? You are leaving this responsibility on the client side, that is, it is the customer who informs you what your ID is. If the ID is crucial to blocking improper access, it should not be informed on the link but saved on a Session, for example, and be included in the query. Search for PHP login Session.

  • You can even keep the user ID in the URL, but don’t use it in the image search. Use to compare if the given ID is the same as the one stored in your Session, if yes, it shows the resource, if it does not show the message saying that the resource does not belong to the user.

  • Also put in the question the code where the user logs in, so I can use it to give an example of how to use a Session.

  • @Filipemoraes Amigo, thanks for your attention. I put my file login.php in the matter

  • OK noticed, you already use Session. What is your query to fetch the image? You certainly in the table where you store the images also have the user id that it belongs to, right? Ask your image table structure (fields) and query to find the image.

  • Certo @Filipemoraes . In the table photos have the field user_id who guards the id the user who uploaded the photo. The query is this, $sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id";

  • Then, put in your query in the Where enclosure the following check: user_id=$_SESSION['id']. Post the complete code, which includes the query.

  • @Filipemoraes put in question my get_photos.php

  • Again, although I always talk here, I see a login system that saves passwords in a pure way. Besides allowing an Injection sql. : ( all your problem is in modeling, nor is it in coding, thinking wrong. If there existed in the bank a relationship between user and image, would not go through it, besides would get rid of having to pass the path of the image, since only pass the ID of the same and ID is something unique

  • @Renatotavares there is a relationship between user and image, it is there in the question, see the code get_photos.php. However I agree with you that recording pure passwords is a security problem, but it is not the problem proposed in the question, so I did not talk about it.

  • Passwords are being entered pure yes. At least for now in the test phase. When I have my complete system I will "comb through" each of the variables

  • Then pq passes the path of the photo, if by the relationship (in theory), would have all the data of the image, type description, who is the owner, who can do what with the photo.... Being this way only necessary to validate the logged in user, then know if the photo is his own, an if would already do.. but tb only I’m commenting

  • Amigo @Renatotavares has some page where I could read more about it? The relationships you talk about are made directly on PHPmyAdmin?

  • 1

    @Davidconcha basically what he’s saying is that his table of images could contain beyond the owner of the image, the directory where it is, so you don’t need to pass it in the URL, by the way, so what are you passing the directory of the image in the URL? Well, anyway we answered the initial question.

  • To use the selected image as background. html{ background:url(<?php $photo_path=$_REQUEST['p']; echo"../$photo_path "?>) no-repeat center center fixed; &#xA;&#xA; &#xA;}

Show 12 more comments

1 answer

2


Before, you have to check if the image belongs to the logged in user:

Let’s remove the line $owner=$_REQUEST['o']; because the responsibility to inform who owns the image is not of the client but of the server. Let the customer say whether or not the owner of the image is a security flaw.

It’s the same thing as you coming into a gated community and asking to get into the apartment and the doorman letting you in just because you said you own it.

$id_user = $_SESSION['id'];

// Vamos remover um possível ataque via sql injection
// Atenção que no PHP 5.5.0 em diante o método mysql_real_escape_string 
// e a extensão mysql são deprecated, ou seja, 
// serão removidos de versões futuras (o PHP 7 já removeu penso eu).
// Passe a utilizar a extensão mysqli (com "i" no fim).
$id_photo = mysql_real_escape_string($_REQUEST['id']);

$sql ="SELECT 1 FROM photos WHERE id=$id_photo AND user_id=$id_user";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    echo "<div id='photo_op'><a href='eliminar_photo_p.php?id=$id_photo'></a> ";
    echo "<a href='add_photo_p.php?id=$id_photo'></a></div>";
} else {
    echo "Seu malandro! Você não é o dono da imagem!";
}

  • This variable $owner is replaced by $id of the photo?

  • @Davidconcha updated the code, there was an error. Refresh and see the answer. The variable $owner no longer exists.

  • 1

    @Davidconcha did an update again. I’m sorry, I’m coding in Sopt’s own editor.

  • Thank you very much! That’s right, I wasn’t thinking the best way. Your solution solved my problem! thank you very much friend!

  • 1

    @Davidconcha is so great. However I suggest some changes to your code, for example, do not store the password of the pure user, if the database falls into the wrong hands, all passwords will be compromised (even encrypted is already depending on the level of the difficulty of the password). Look for PHP Bcrypt for example, look also for SQL Injection to know how to handle your variables before injecting them into the query, try using mysqli (with "i") instead of mysql, since it is in disuse.

  • I was thinking about leaving it like this while the project is not finished. I will not leave the password like this when I put the system online. Yes I will take a look at PHP Bcrypt. Thanks for the tips!

Show 1 more comment

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.