0

Hey everyone,

I'm using sessions in my application which retrieves the questions and answers asked by users. The tricky part here is how I can know how to allow users that they can edit and delete their own posts.

As far as it is concerned, I have got this idea down. If session is registered, then show users the edit and delete control buttons. But this means that they can delete and edit other people posts as well which I'm trying to prevent.

4
Contributors
16
Replies
17
Views
5 Years
Discussion Span
Last Post by broj1
Featured Replies
  • 2

    Each post has to be associated with the user ID (the ID of the user that authored it). I presume user ID is also stored in the session. So when you display posts you check each post to whom it belongs and if it belongs to currently logged-in user also … Read More

  • 2

    A suggestion regarding security: for operations that modify database rows (e.g. delete) it is a bit safer to use POST method instead of encoding IDs in the query string. The user could change the id of the records easily to delete other records. if(isset($_SESSION['username']) && $_SESSION['username'] == $post['username']) { echo … Read More

2

Each post has to be associated with the user ID (the ID of the user that authored it). I presume user ID is also stored in the session. So when you display posts you check each post to whom it belongs and if it belongs to currently logged-in user also display delete button.

0

This is probably obvious, but I'll say it just to make sure.

Don't just display edit and delete buttons if the user id against the post matches the currently logged in user.

When a user clicks the edit or delete option, you need to make sure that the request is coming from the authenticated and owning user too. Otherwise, they could just directly access the link.

0

That didn't work for me. I try checking if the username in a session is equal to the name in the database table, then they'll get the edit/delete buttons.

 if($user_session = isset($_SESSION['username'])){
                        if ( $post['username'] == $user_session){
                            echo "<a href='delete.php?id=" .$post['id'] ."'> Delete</a>";
                            echo "<a href='edit.php?id="   .$post['id'] ."'>  Edit</a>";
                        }
                    }

That didn't work for me. Any idea why?

1

The isset() function is used to check whether a variable, or in this case, the username index of the $_SESSION array is set. It only returns true or false, hence why your comparison on line #2 is failing.

To fix the issue, you could use:

// If user is logged in and username matches post username
if(isset($_SESSION['username']) && $_SESSION['username'] == $post['username']) {
    echo "<a href='delete.php?id={$post['id']}'>Delete</a>";
    echo "<a href='edit.php?id={$post['id']}'>Edit</a>";
}
2

A suggestion regarding security: for operations that modify database rows (e.g. delete) it is a bit safer to use POST method instead of encoding IDs in the query string. The user could change the id of the records easily to delete other records.

if(isset($_SESSION['username']) && $_SESSION['username'] == $post['username']) {
    echo '<form method='post' action='delete.php'>'
    echo "<input type='submit' name='{$post['id']}' value='Delete' />";
    echo '</form>';
    ...
}

Mind you, POST data can be easily forged, too, so it is important to check for the username also in the delete.php and edit.php scripts and employ other security measures.

Votes + Comments
deserve a one, bro
0

Woot woot. That is ridiculous. Am I missing that simple logic? LOL at myself. BTW, I don't see so much difference between what I have done and what you've tweaked up there.

they sound pretty much the same. In my solution, if the user is set then do a little more checking to see if the username is equal to the username in the database.

1

You were checking if the username was equal to the boolean returned by isset(), not the username stored in the session. Your logic was just a little out.

0

You were checking if the username was equal to the boolean returned by isset(),

No way. This can't be true. Well, actually I was echoing a variable that was supposed to store the username value. But, it was giving 1 instead of the name of the user logged in.

0

@broj1.. Thanks for the suggestion. Tell me more about the security side. More on how to secure the app. Or even referring me to websites that you think useful..

0

Web app security is a broad subject. In your case you want to prevent logged in user deleting the records that do not belong to them. Or maybe unauthorised user finding an url like delete.php?id=3 in the browser history and changing IDs by hand or programatically to delete all your records. You avoid that by using POST method (to some extent) and by checking for valid session and user credentials in delete.php. But that is basic stuff.

You might want to google for sql injection and xss (cross site scripting) which are two of most common attacks and still apparently up to 80% sites could be vulnerable to them (I cant remember the source of this information).

Do not expect to understand everything immediatelly since it is a lot of infrmation to digest. But avoiding those common attacks is not hard if you follow good practices:

  • validate, filter and escape the input data that goes to the database (i.e from forms or cookies) using PHP or custom functions (trim, PHP filter functions, mysql_real_escape_string function)
  • validate, filter and escape the input data that goes back to the html context using PHP or custom functions (trim, PHP filter functions, htnlspecialchars and strip_tags functions).

Links:
http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/Cross-site_scripting
http://php.net/manual/en/book.filter.php
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/function.htmlspecialchars.php
http://php.net/manual/en/function.strip-tags.php

A lot of reading for this weekend :-)

0

maybe unauthorised user finding an url like delete.php?id=3 in the browser history and changing IDs by hand or programatically

How could they do that? They don't have access to my files on the server.I guess if they try accessing delete.php?id=3, they will be rejected because a session is not set which means they need to log in.

@iamthwee... PHPacademy is my favourite youtube channel.

0

They couldn't if things are done properly. But if you forgot to end session or employ some session timeout and things like that a user of your application could leave computer unlocked or users might access your app from the public computer (i.e cyber caffe) and leave it before logging out. It is quite unlikely that this would happen but your task is to make sure your application is as secure as possible.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.