[FX.php List] Disallowing access thru modifying url?

DC dan.cynosure at dbmscan.com
Wed Apr 26 09:52:10 MDT 2006 

As Kevin said, putting your parameters in hidden fields in a FORM just 
hides the data a little better and prevents casual poking around. But, 
anyone with a little skill with the curl utility could send their own 
POST requests.

You could generate/calculate random words that get put in a field right 
alongside your record. Then, when you generate the GET param just use 
the word instead of the serial number. That would make it less likely 
that someone would guess the proper data to change it to.

Or, how about obscuring the parameter value in the link you generate 
with PHP. With more powerful encryption the links can get ugly but they 
are secure.

One user comment on the PHP manual page for the crypt() function shows 
code that allows you to implement a shared key encrypt/decrypt algorithm.

http://us3.php.net/manual/en/function.crypt.php

That is pretty good security for just protecting GET param 
manipulations. strongly encoded links will make it pretty much 
impossible for the user to guess or hack.

if you don't need a full shared key model for your system you could just 
jimmy up a simple encoder yourself. take a look at base64_encode() and 
base64_decode() functions - that will output a pattern of ascii values 
that is pretty easy for the trained eye to spot (the encoded strings 
typically end in an equals sign). But, as with the hidden field, it will 
foil most casual snoopers because it puts the actual data out of direct 
view.

this command shows you sample base64_encode() output in the commandline 
php (in macosx terminal.app not sure if this works in windows CLI php):

php -r 'echo base64_encode("1234") . "\n";'

Add another symmetrical encoding before or after base64 if you want more 
obscurity. i've encoded the next paragraph in one of the most common 
symmetrical algorithms. See if you can decode it: (hint - use only a 
single php function and it doesn't deal with numbers or punctuation)

Jung unf orra uvqqra ol fabj vf erirnyrq ol n gunj.

you could also use the security model in FMP7/8 which allows record 
level access control - which, i believe, protects even records returned 
by a relationship/portal.

hope that helps.
dan

Joel Shapiro had written:
> Hi all
> 
> What ways are there to limit record access to *only* clicked-on links?
> 
> When I get a list of records, clicking on any one of them links to  
> their respective url, e.g.:
> http://127.0.0.1/page.php?recid=1234
> 
> I do not want someone to be able to edit the url in their browser to  
> view recid=6789
> (I do open in a new browser window without the Address Bar, but  
> certainly someone could get around that)
> 
> I had been using a simple IF clause at the top of page.php to ensure  
> that the record's Parent_ID field match a previously set Session  
> variable, but now I need to allow the viewing of other records  (related 
> further down the pipe) and such an IF clause is no longer so  simple.
> 
> The recent thread betwen Dan and Kevin on using forms with hidden  
> inputs and javascript seems like one option:
> <FORM NAME="sub" METHOD="POST" ACTION="file1.php">
> <input type="hidden" id="data" name="data" value="mydata">
> </FORM>
> <a href="file2.php"
> ONCLICK="document.sub.submit(); return false;"
> target="_blank">LINK TEXT HERE</a>
> 
> 
> What other options are there?
> 
> TIA,
> -Joel
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

More information about the FX.php_List mailing list