-2
Good morning, My doubt arises because of increasing the security of my application. The scenario is as follows: A user with authorization sees the listing of several items (e.g., list-item.php), and can delete the item you want. The process of deleting is through a query string (Ex: elimina-item.php? id=14)
Is there any way to restrict/block manipulation in this id case? for example if the user’s account is stolen and the person has bad intentions, you can simply change the id in the query string and delete several items. Basically I ask if there is a solution to block the handling of the query and only accept the query that comes from the list-item page.php
I saw in other places that the moment the user clicks on the item to delete, generates a hash that will be sent as well and then the match is made. It is a good solution or there will be something else in account?
– leugim
Yeah, a hash could be a solution or, are you always asking the user to be able to confirm the password when deleting, but you can only manipulate via Get ? not be via post? Parameters via get are very insecure
– Marcos Brinner
@Marcosbrinnerpikatoons the way I developed only gives through GET. The items appear in the list and each one has a delete button, that button that renwalker with the respective item id to delete-item.php.
– leugim
This hash business has the look of gambiarra, and GET and POST give almost the same. The most common would be to simply check in the application whether or not the logged in user has permission to perform the operation. In principle, in a normal application, if the user makes the change by the system or by the URL, there should be no practical difference. If you can better explain a practical case where tampering with the URL would be a problem in your search, it might be easier to help (at least explain where it would be different for the user to type a 2612 ID or choose the 2612 ID by the same application).
– Bacco
The most correct and elegant way would be to pass the parameters via
$_POST
for the reasons given here by @Caique C. https://answall.com/a/72027/93553, even using HASH in the URL, if you are an advanced user you can simply generate a HASH pro id that you want and put it in the URL, but in this case, go through$_POST
or$_GET
won’t make a difference, if the user’s account is stolen, the thief will be logged in legitimately.– Dobrychtop
to only how can you pass this data and via GET? if the guy has access to your application he will be able to erase regardless of the applied method ? Well a way for you "hinder" is to use maybe a base64_encode in the url id.
– Diego Braga
I will implement through the Post when the user wants to delete the item, skip a modal to confirm and then create the from to pass the variables and validate in the delete-item. I have been studying this part of security, avoid sql Injection etc, hence questioning this part. Thank you all for your help and availability
– leugim
Do not pass sensitive data through the query string, try using the query string for things that do not change system status, like list, flick, never for delete, authentication, Insert or editing, and use two-step authentication. Try to publish on a server that has HTTPS, add a 'captcha' solution'.
– Intruso
@Intruder Thanks for the tip
– leugim