Block query string url - php

Asked

Viewed 402 times

-2

Good morning, My doubt arises because of increasing the security of my application. The scenario is as follows: A user with authorization sees the listing of several items (e.g., list-item.php), and can delete the item you want. The process of deleting is through a query string (Ex: elimina-item.php? id=14)

Is there any way to restrict/block manipulation in this id case? for example if the user’s account is stolen and the person has bad intentions, you can simply change the id in the query string and delete several items. Basically I ask if there is a solution to block the handling of the query and only accept the query that comes from the list-item page.php

php security-guard querystring

  • I saw in other places that the moment the user clicks on the item to delete, generates a hash that will be sent as well and then the match is made. It is a good solution or there will be something else in account?

  • Yeah, a hash could be a solution or, are you always asking the user to be able to confirm the password when deleting, but you can only manipulate via Get ? not be via post? Parameters via get are very insecure

  • @Marcosbrinnerpikatoons the way I developed only gives through GET. The items appear in the list and each one has a delete button, that button that renwalker with the respective item id to delete-item.php.

  • This hash business has the look of gambiarra, and GET and POST give almost the same. The most common would be to simply check in the application whether or not the logged in user has permission to perform the operation. In principle, in a normal application, if the user makes the change by the system or by the URL, there should be no practical difference. If you can better explain a practical case where tampering with the URL would be a problem in your search, it might be easier to help (at least explain where it would be different for the user to type a 2612 ID or choose the 2612 ID by the same application).

  • 1

    The most correct and elegant way would be to pass the parameters via $_POST for the reasons given here by @Caique C. https://answall.com/a/72027/93553, even using HASH in the URL, if you are an advanced user you can simply generate a HASH pro id that you want and put it in the URL, but in this case, go through $_POST or $_GET won’t make a difference, if the user’s account is stolen, the thief will be logged in legitimately.

  • to only how can you pass this data and via GET? if the guy has access to your application he will be able to erase regardless of the applied method ? Well a way for you "hinder" is to use maybe a base64_encode in the url id.

  • I will implement through the Post when the user wants to delete the item, skip a modal to confirm and then create the from to pass the variables and validate in the delete-item. I have been studying this part of security, avoid sql Injection etc, hence questioning this part. Thank you all for your help and availability

  • Do not pass sensitive data through the query string, try using the query string for things that do not change system status, like list, flick, never for delete, authentication, Insert or editing, and use two-step authentication. Try to publish on a server that has HTTPS, add a 'captcha' solution'.

  • @Intruder Thanks for the tip

Show 4 more comments

1 answer

0

Take a look at this package: https://packagist.org/packages/ramsey/uuid

I use it to generate a single hash for each record and instead of working with the sequential key in Gets and Posts I use the hash.

This helps in several situations, for example: Editing user profile if you put http://localhost/usuario/profile/1/Edit and the person passing other ids there, he can change profile of other users, using the hash he would hardly discover a valid hash.

I hope it helps.

Browser other questions tagged php security-guard querystring

You are not signed in. Login or sign up in order to post.