How to increase the security of using the $_GET[ ]? Since it is easily discovered by the visitor and change the path and the edit the information?
/albums.php?albums=1
/albums.php?albums=2
cliffcc
0
Junior Poster
Recommended Answers
Jump to PostYou cannot increase the security of $_GET. You need the ID of the album in order to display that album, there is no way around that.
If you want to limit accessed based on user/role/group however, you can do that.
If you want to make sure there is no …
Jump to PostConsidering you use login system for your users, and they have roles and groups, you can limit the access to the content by defining who have permission to view it, and when someone tries to view it compare his role/group to the permitted roles/groups.
If he have permission, show the …
All 6 Replies
digital-ether
399
Nearly a Posting Virtuoso
Team Colleague
You cannot increase the security of $_GET. You need the ID of the album in order to display that album, there is no way around that.
If you want to limit accessed based on user/role/group however, you can do that.
If you want to make sure there is no SQL injection you can do that.
Which are you after?
cliffcc
0
Junior Poster
If i want to limit accessed based on user/role/group! What is your suggestion? Thanks!
yoni0505
Considering you use login system for your users, and they have roles and groups, you can limit the access to the content by defining who have permission to view it, and when someone tries to view it compare his role/group to the permitted roles/groups.
If he have permission, show the content.
If he don't, show something else like message that says that he is not allowed to view the content.
pbcomput
9
Junior Poster in Training
Hi,
With the permission access based on user/role/group you can also use rewrite url by using .htaccess
just give album name into the url instead of id of the album and as far as I think no one can guess the particular album name. so your album can be secure.
hope my suggestion helps. :)
minitauros
151
Junior Poster
Featured Poster
For security you should at least do both: create a .htacces file AND check if the user visiting the page is allowed to perform the actions he is about to perform (by, for example, matching his user rank - which was set when he logged in - against the user rank that is required to perform the action).
diafol
if user logged in she'll have an 'id' and 'level' in session vars. Just check against these. Redirect away from the page if 'level' isn't high enough.
Using get and post - just as vulnerable as each other. They can't be trusted, so you should always treat them as if they're suspect.
Another method I've used on occasion, is to use a confirmation hash.
?id=3&action=delete&conf=kjbY8237nm37q9n7yebksCgHY3r7ha71A simple method would be to:
$conf = md5($salt1 . $action . $id . $salt2); //or use sha / whirlpool etc.Then on page load:
$salt1 = ...;
$salt2 = ...;
if($_GET['conf'] != md5($salt1 . $_GET['action'] . $_GET['id'] . $salt2)){
header(...redirect...);
}You can combine this with a $_SESSION check.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.