0

right now my php script is vulnerable to anyone putting in a random member_id into the url and having it excute sucessfully


how can I encrypt the id="id#" in the url, so a guest is unable to type in there own id in the posted id retrieved through the url?

echo "<td><a href='perfectrecords.php?id=" . $row->id . "'>Edit</a></td>";

<?php


function html_encode($var)
{
	return htmlentities($var, ENT_QUOTES, 'UTF-8') ;
}
	require_once('auth.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
        <head>  
                <title>My interns</title>
                <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
        </head>
        <body>
                
             <h1> My Interns</h1>
                
                <p><b>View All</b> | <a href="../Copy/view-paginated.php">View Paginated</a></p>
                
                <?php
                        // connect to the database
                        include('../Copy/connect-db.php');
                        $var_id=$_SESSION['SESS_LOGIN'];
				
                        // get the records from the database
                        if ($result = $mysqli->query("SELECT * FROM `members`.`players` WHERE login='$var_id' "))
              
					 
					    {
                                // display records if there are records to display
                                if ($result->num_rows > 0)
                                {
                                        // display records in a table
                                        echo "<table border='1' cellpadding='10'>";
                                        
                                        // set table headers
                                        echo "<tr><th>ID</th><th>Name</th><th>Description</th><th>Qualifications</th><th>login</th><th>hours</th><th>days required to work</th><th>pay</th><th>duties</th></tr>";
                                     


                                        while ($row = $result->fetch_object())
                                        {
                                                // set up a row for each record
                                                echo "<tr>";
                                                echo "<td>" . $row->member_id . "</td>";
												echo "<td>" . $row->name . "</td>";
                                                echo "<td>" . $row->description . "</td>";
                                                echo "<td>" . $row->qualifications . "</td>";
												echo "<td>" . $row->login . "</td>";
												echo "<td>" . $row->hours . "</td>";
												echo "<td>" . $row->daysoftheweek . "</td>";
												echo "<td>" . $row->pay . "</td>";
												echo "<td>" . $row->duties . "</td>";
												  echo "<td>";
												
												
												
												
                                                echo "<td><a href='perfectrecords.php?id=" . $row->id . "'>Edit</a></td>";
                                                echo "<td><a href='delete.php?member_id=" . $row->id . "'>Delete</a></td>";
                                                echo "</tr>";
                                        }
                                        
                                        echo "</table>";
                                }
                                // if there are no records in the database, display an alert message
                                else
                                {
                                        echo "No results to display!";
                                }
                        }
                        // show an error if there is an issue with the database query
                        else
                        {
                                echo "Error: " . $mysqli->error;
                        }
                        
                        // close database connection
                        $mysqli->close();
                
                ?>
                
                <a href="../Copy/records.php">Add New Record</a>
        </body>
</html>
2
Contributors
2
Replies
4
Views
6 Years
Discussion Span
Last Post by waveydaveywaves
0

There are many ways but why not keeping the user id in session after log and check its existence and value when a person enters this page with id as url variable.

0

the "id" column is not a unique table, nor is it in the same table as the members.

i would use that approach but, my next code it parses through the url from the next script. keeping it as a session would still display it through the URL wouldn't it?

any suggestions? a modification would be nice.

<?php
	
	



        // connect to the database
        include("connect-db.php");

        // creates the new/edit record form
        // since this form is used multiple times in this file, I have made it a function that is easily reusable
        function renderForm(  $name = '', $description ='',  $qualifications ='', $login ='', $hours ='', $daysoftheweek ='', $pay ='',$duties ='',  $id = '' )
        { ?>
                <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
                        <head>  
                                <title>
                                        <?php if ($id != '') { echo "Edit Record"; } else { echo "New Record"; } ?>
                                </title>
                                <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
                        </head>
                        <body>
                                <h1><?php if ($id != '') { echo "Edit Record"; } else { echo "New Record"; } ?></h1>
                                <?php if ($error != '') {
                                        echo "<div style='padding:4px; border:1px solid red; color:red'>" . $error
                                                . "</div>";
                                } ?>
                                
                                <form action="" method="post">
                                <div>
                                        <?php if ($id != '') { ?>
                                                <input type="hidden" name="id" value="<?php echo $id; ?>" />
                                                <p>ID: <?php echo $id; ?></p>
                                        <?php } ?>
                                        
                                        <strong>Name: *</strong> <input type="text" name="name"
                                                value="<?php echo $name; ?>"/><br/>
                                        <strong>description: *</strong> <input type="text" name="description"
                                                value="<?php echo $description; ?>"/><br/>
                                                 <strong>qualifications: *</strong> <input type="text" name="qualifications"
                                                value="<?php echo $qualifications; ?>"/><br/>
                                                <strong>login: *</strong> <input type="hidden" name="login"
                                                value="<?php echo $login; ?>"/><br/>
                                                 <strong>hours: *</strong> <input type="text" name="hours"
                                                value="<?php echo $hours; ?>"/><br/>
                                                <strong>days required to work: *</strong> <input type="text" name="daysoftheweek"
                                                value="<?php echo $daysoftheweek; ?>"/><br/>
                                                 <strong>pay: *</strong> <input type="text" name="pay"
                                                value="<?php echo $pay; ?>"/><br/>
                                                 <strong>duties: *</strong> <input type="text" name="duties"
                                                value="<?php echo $duties; ?>"/><br/>
                                  <input type="submit" name="submit" value="Submit" />
                                </div>
                                </form>
</body>
                </html>
                
        <?php }



        /*

           EDIT RECORD

        */
        // if the 'id' variable is set in the URL, we know that we need to edit a record
        if (isset($_GET['id']))
        {
                // if the form's submit button is clicked, we need to process the form
                if (isset($_POST['submit']))
                {
                        // make sure the 'id' in the URL is valid
                        if (is_numeric($_POST['id'], ENT_QUOTES))
                        {
                                // get variables from the URL/form
                                $id = $_POST['id'];
                                $name = htmlentities($_POST['name'], ENT_QUOTES);
                                $description = htmlentities($_POST['description'], ENT_QUOTES);
								$qualifications = htmlentities($_POST['qualifications'], ENT_QUOTES);
								$login = htmlentities($_POST['login'], ENT_QUOTES);
								$hours = htmlentities($_POST['hours'], ENT_QUOTES);
								$daysoftheweek = htmlentities($_POST['daysoftheweek'], ENT_QUOTES);
								$pay = htmlentities($_POST['pay'], ENT_QUOTES);
								$duties = htmlentities($_POST['duties'], ENT_QUOTES);
                                
                                // check that firstname and lastname are both not empty
                                if ($name == '' || $description == '' || $qualifications == '' || $login == '' || $hours == '' || $daysoftheweek == '' || $pay == '' || $duties == ''  )
                                {
                                        // if they are empty, show an error message and display the form
                                        $error = 'ERROR: Please fill in all required fields!';
                                        renderForm($name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay,$duties ,  $id, $error);
                                }
                                else
                                {
                                        // if everything is fine, update the record in the database
                                        if ($stmt = $mysqli->prepare("UPDATE players SET name = ?, description = ?, qualifications= ?, login =?, hours =?, daysoftheweek =?, pay =?, duties =?
                                                 WHERE id=? "))
                                        {
										
                                                $stmt->bind_param("ssssssssi", $name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties ,  $id);
                                                $stmt->execute();
                                                $stmt->close();
                                        }
                                        // show an error message if the query has an error
                                        else
                                        {
                                                echo "ERROR: could not prepare SQL statement.";
                                        }
                                        
                                        // redirect the user once the form is updated
                                        header("Location: viewworking.php");
                                }
                        }
                        // if the 'id' variable is not valid, show an error message
                        else
                        {
                                echo "Error!";
                        }
                }
                // if the form hasn't been submitted yet, get the info from the database and show the form
                else
                {
                        // make sure the 'id' value is valid
                        if (is_numeric($_GET['id']) && $_GET['id'] > 0)
                        {
                                // get 'id' from URL
                                $id = $_GET['id'];
                                
                                // get the recod from the database
                                if($stmt = $mysqli->prepare("SELECT * FROM players WHERE id=?"))
                                {
                                        $stmt->bind_param("i", $id);
                                        $stmt->execute();
                                        
                                        $stmt->bind_result($id,  $name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties );
                                        $stmt->fetch();
                                        
                                        // show the form
                                        renderForm($name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties ,  $id);
                                        
                                        $stmt->close();
                                }
                                // show an error if the query has an error
                                else
                                {
                                        echo "Error: could not prepare SQL statement";
                                }
                        }
                        // if the 'id' value is not valid, redirect the user back to the view.php page
                       else
                        {
                                header("Location: view.php");
                        }
                }
        }


        /*

           NEW RECORD

        */
        // if the 'id' variable is not set in the URL, we must be creating a new record
        else
        {
                // if the form's submit button is clicked, we need to process the form
                if (isset($_POST['submit']))
                {
                        // get the form data
                                                 $id = $_POST['id'];
                                $name = htmlentities($_POST['name'], ENT_QUOTES);
                                $description = htmlentities($_POST['description'], ENT_QUOTES);
								$qualifications = htmlentities($_POST['qualifications'], ENT_QUOTES);
								$login = htmlentities($_POST['login'], ENT_QUOTES);
								$hours = htmlentities($_POST['hours'], ENT_QUOTES);
								$daysoftheweek = htmlentities($_POST['daysoftheweek'], ENT_QUOTES);
								$pay = htmlentities($_POST['pay'], ENT_QUOTES);
								$duties = htmlentities($_POST['duties'], ENT_QUOTES);
                        // check that firstname and lastname are both not empty
                        if ($name == '' || $description == '' || $qualifications == '' || $login == '' || $hours == '' || $daysoftheweek == '' || $pay == '' || $duties == '' )
                        {
                                // if they are empty, show an error message and display the form
                                $error = 'ERROR: Please fill in all required fields!';
                                renderForm($name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay,$duties ,  $id, $error);
                        }
                        else
                        {
                                // insert the new record into the database
                                if ($stmt = $mysqli->prepare("INSERT players (name, description,  qualifications, login, hours , daysoftheweek, pay, duties ) VALUES (?, ?, ?, ?, ?, ?, ?, ?,)"))
                                {
                                        $stmt->bind_param("ssssssss", $name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties);
                                        $stmt->execute();
                                        $stmt->close();
                                }
                                // show an error if the query has an error
                                else
                                {
                                        echo "ERROR: Could not prepare SQL statement.";
                                }
                                
                                // redirec the user
                               header("location: access-denied.php");
                        }
                        
                }
                // if the form hasn't been submitted yet, show the form
                else
                {
                        renderForm();
                }
        }
        
        // close the mysqli connection
        $mysqli->close();
?>

Edited by waveydaveywaves: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.