How to have id security exposed in links - PHP + Javascript

Asked

Viewed 145 times

3

PHP language.

I have a grid where I have in each row buttons to edit and delete that record with javascript actions passing the id of that record to effect the action. My problem is related to security since it can have a nasty user who changes the id of that button and access improper data or delete it. How to do it safely?

Example of how it’s being done:

Rendered HTML part exits +/- like this (example of q would exit grid):

 <td>Dados1</td>
 <td>Dados2</td>
 <td><img src="editar.png" onclick="editar(1)"><img src="excluir.png"> onclick="excluir(1)"></td>
</tr>
<tr>
 <td>Dados3</td>
 <td>Dados4</td>
 <td><img src="editar.png" onclick="editar(2)"><img src="excluir.png"> onclick="excluir(2)"></td>
</tr>

and in javascript

function editar(id) {
   // chamada em ajax pra controller passando o id via post
}

function excluir(id) {
   // chamada em ajax pra controller passando o id via post
}

any hint of how to do safely without exposing id to user?

3 answers

2


Good afternoon Friend. I recently had a similar dilemma. following your code example I solved using the cryptoLib class available at http://cryptolib.ju.je

  1. First we create the functions

 require("path/to/cryptolib.php");

 function tokenizer($id){
 $token = CryptoLib::encryptData($id, "token");
 return $token;
 }

 // Função simples para decodificar o token recebido após click no elemento

 function decodeToken($token){
 $decryptedString = CryptoLib::decryptData($token, "token");
 return $decryptedString;
 }

EXAMPLE: In your html the code can be applied as follows

<td>Dados1</td>
<td>Dados2</td>
<td><img src="e.png" onclick="editar(<? echo tokenizer($row["id"]) ?>)">
<img src="del.png"> onclick="excluir(<? echo tokenizer($row["id"]) ?>)">
</td>
</tr>
<tr>
<td>Dados3</td>
<td>Dados4</td>
<td>
<img src="e.png" onclick="editar(<? echo tokenizer($row["id"]) ?>)">
<img src="del.png"> onclick="excluir(<? echo tokenizer($row["id"]) ?>)">
</td>
</tr>

HTML OUTPUT: In your rendered html the source code will be similar to the example below:

<td>Dados1</td>
<td>Dados2</td>
<td><img src="e.png" onclick="editar("ctnbCH1FXdr41JYI9J82sXjGKbFvIUP3pshgL8KaZsYsEFqFco3NgimLy2xAj")">
<img src="del.png"> onclick="excluir("gimLy2xfUP3pshgL8KaZsYsEFqFco3NAjctnbCH1FXdr41JYI9J82sXjGKbFv")">
</td>
</tr>
<tr>
<td>Dados3</td>
<td>Dados4</td>
<td>
<img src="e.png" onclick="editar("IUPIUP3pshgL8KaZsYsEFqFco3NgimLy2xAj3pshgL8KaZsYsEFqFco3NgimLy2xAj")">
<img src="del.png"> onclick="excluir("8KaZsYsEFqFco3NgctnbCH1FXdr41JYI9J82sXjGKbFvIUP3pshgLimLy2xAj")">
</td>
</tr>

In your CRUD in PHP. Use token validation function:

$id = decodeToken($token);

The function returns the id to use in CRUD manipulation.

Completion:

When calling the function

tokenizer($row["id"]);
// O valor retornado para token
sXjGKbFvIUP3pshgLim8KaZsYsEFqFco3NgctnbCH1FXdr41JYI9J82Ly2xAj

When receiving the token, sent by javascript, calls the function

$id = decodeToken($token);
// se o valor do $row["id"] informado para a função tokenizer() for igual a "99".
// a função retornará o equivalente a:
$id = 99;

Perks:

Every time pages are rendered, the token generated for each $Row{"id"] is unique and random.

I hope this helps to clear your doubts.

1

My problem is related to security since it may have a nasty user who changes the id of that button and access improper data or delete it[...]

Assuming that you only allow the proper actions to be performed in the face of user validation, then it is not a question of security failure.

  1. If the user X can change or remove such content so everything will well.
  2. If for some reason you rely on external 'validations' and PHP assume the request is true without validating the user, then we have a problem.

If the user has access to content actions 1 and 2 and you have a button delete.php?id=1, Even by changing the ID, the user can change the content without problem. The link can only not allow it to change to the ID of content other than its own and perform the action.

Note that the user will always see the reference, even if you have a hash for the ID.

0

The part that is in the client (Javascript, HTML, CSS) can always be manipulated, you need to validate the data on the server side (PHP, in your case), there you will have the ID passed, just check if that user can actually edit that element before actually editing.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.