Id Security In My Php Pages

[grahamgr3]

Right now on my website I created when someone is logged in they can go to the url in the address bar and change the id number associated with the url. for example one page I have is

add_image.php?id=4

4 is the id associated with the article.

If someone changes the 4 to a 7 for example. Then my page will show the other user's data on my page without them even entering that other person's login info. 

How do I make sure people can't see other user's data when they change the id number. 

I am using the scripts from this book. Maybe I missed something. 

I am using sessions properly as far as I can tell. 

I really would need some help with this.

please give an example of secure code to use.

thank you

[Jaepee]

Hi Grahamgr3, do you have any code that we could see to help you identify your issue? Maybe you could add an if statment in the session code.  Verify that the user can only see his page.

if ($_SESSION['user_id'] != $_GET['id']){

    // redirect user to auth page

}

[grahamgr3]

I am using the code from the book.

if (isset($_GET['id']) && is_numeric($_GET['id']){

$id = $_GET['id'];

} elseif (isset($_POST['id']) && is_numeric($_POST['id'])) {

$id = $_POST['id'];

} else {

echo '<p class="error">This page has been accessed in error.</p>';

include ('includes/footer.html');

exit();

}

 

the solution you gave above is great for pages where the id value is a $_SESSION variable. But what about when the id value is something else not stored in a session variable. What I am really looking for I guess is a way to hide the id value or hash it. I have searched everywhere online and can't find a way to make it work. I am just a beginner. Can you give me an example code that uses the code above if possible. That way users won't be able to tell what the id is in the url.

[Jaepee]

Try this, make a random string, then assign it to the user.

<?php

function random_str() { // all this returns is a random string!!!
		// get all the characters into an array
	$randomStr = str_split('abcdeghjkmnpqrstvwxyzABCDEFGHJKMNPQRSTVWXYZ23546789'); // splits all the characters into an array()
    shuffle($randomStr); // randomize the array()
	$randomStr = array_slice($randomStr, 0, 4); // get the first 4 (random) characters out
	$base = implode('', $randomStr); // smush them back into a string	
			
			return $base; // we have our new random string
} // end random function

// then call the function 
echo random_str();

I tested it and it works. You can adjust the number of characters from 4 to however long you would like your string.

[grahamgr3]

Hi

That is not what I am looking for exactly. But thanks for creating that. 

I will do my best to clearly tell you what I want to do. 

I have my link that people click on which is <a href="edit_images.php?id=' .$row['article_id'] . '">Edit Images</a>

The article_id is not a session variable. 

How can I make it so that when people see the address in the address bar they can't change the number 4 to something else in the link edit_images.php?id=4

Because if they do right now on my site, they can view other people's data from their accounts. 

I think Larry taught this in the book, I looked through the book but I can't find it. 

Right now my site is terribly insecure. I think the best thing would be to hash the id number maybe with md5. Unless there is a much simpler way to protect against this security flaw. 

 

I tried using the following <a href="edit_images.php?id=' .(md5($row['article_id'])) . '">

 

That does give a hashed id number. But now since the id number is different than the original, my page doesn't work anymore like it should, it gives an error because the id number is now incorrect. 

How can I make the page recognize that the id number is the same just hashed. 

 

Would i edit the following code in some way to make it recognize the id number as valid.

if (isset($_GET['id']) && is_numeric($_GET['id']){

$id = $_GET['id'];

} elseif (isset($_POST['id']) && is_numeric($_POST['id'])) {

$id = $_POST['id'];

} else {

echo '<p class="error">This page has been accessed in error.</p>';

include ('includes/footer.html');

exit();

}

[Larry]

A simple md5() hash won't make this that much secure, because it'd be pretty easy to deduce that it is an md5() hash, and all you'd have to do is swap out the md5() hash of, say, 5, for the md5() hash of another number. 

 

Jaepee is on the right path, however. You create  random string (I'd use http://php.net/manual/en/function.openssl-random-pseudo-bytes.php, however) and store it in the database, associated with your whatever (user, image). Then you change your code to confirm that ID is set and has a length that matches whatever you use (16 or 32 characters). 

 

However, I would also implement a variation on Jaepee's earlier suggestion, and make sure that only the owner of the resource gets presented with the edit button and can actually edit it. Presumably you'd store the user's ID in a session upon login, and you can confirm that the user's ID in the session matches the owner's ID of the resource.