[FX.php List] How to avoid URL counterfeiting
William Downs
william.downs at gmail.com
Fri Jun 29 02:06:44 MDT 2007
Hi guys -
my word - a simple question getting such a breadth of knowledge in return :-)
I worked round it in a slightly different way -
Upon loading the page, I check to see if the salesID is set from _POST
- if so, I then set the _SESSION variable.
if(isset($salesID)) {
$_SESSION['salesID'] = $salesID;
} else {
$salesID=$_REQUEST['salesID'];
}
Then I do this
/* URL counterfeiting block start */
if( isset( $_REQUEST['salesID'] )) {
if( $_REQUEST['salesID'] != $_SESSION['salesID']) {
// something wrong here
include 'ngsWarnLogin.php';
exit;
}
I also do a check after running the FX find instance -
$foundCount = $ContactDetailResult['foundCount'];
if( $foundCount !=1 ) {
include 'ngsWarnLogin.php';
exit;
}
The only way the user would get a found count not being equal to 1 was
if they messed around with the URL, as the solution is driven by
buttons.
Thanks for all the help though - if anyone sees a problem with what I
have done - please let me know
William
On 6/28/07, Gjermund Gusland Thorsen <ggt667 at gmail.com> wrote:
> Never use md5() use sha1() instead.
>
> ggt667
>
> On 6/28/07, William Downs <william.downs at gmail.com> wrote:
> > Thanks guys for all the suggestions - and thanks Joel for the thread -
> >
> > These values will vary throughout a user's session - as a Sales
> > person, I have perhaps 10 contacts - I can view only these, as a
> > manager I have 5 salespersons, I may view all of their contacts, but
> > not those from another sales team (centre) --
> >
> > I will have a look all the same at using a comparison in the session -
> > I can re - set a session value when I land on the page.
> >
> > Will get back to you tomorrow
> >
> > William
> >
> > On 6/28/07, Joel Shapiro <jsfmp at earthlink.net> wrote:
> > > Hi William
> > >
> > > Are the salesId and/or conID going to be unique per session, after
> > > login perhaps? If so, then you should be able to set them as session
> > > variables (as you suggest) and leave them out of the URL altogether.
> > > Your called page (filename.php) could then just use the session
> > > variables in place of $_GET['salesId'] and/or $_GET['conID'].
> > >
> > > Or are these values going to vary throughout a user's session?
> > >
> > > Since you like looking at the archives... there was a thread I had
> > > started on April 24, 2006 entitled "Disallowing access thru modifying
> > > url?" that had some great responses. (That was way early in my PHP
> > > life... I didn't even know what the term GET meant -- yoiks! :)
> > >
> > > -Joel
> > >
> > >
> > > On Jun 28, 2007, at 4:54 AM, William Downs wrote:
> > >
> > > > Hi guys -
> > > >
> > > > excellent breadth of knowledge here I have to say ! - but a lot of
> > > > archive material to get through !
> > > >
> > > > I am forced sometimes to use header : Location:
> > > > filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
> > > > (or a malicious one) may of course swap out the ids - what's the best
> > > > method of not allowing this to happen ? - I will log them out of
> > > > course if they try this :-)
> > > >
> > > > I am thinking about setting session variables and comparing them to
> > > > the request variables, but is the correct method ?
> > > >
> > > > William
> > > > --
> > > > To see victory only when it is within the ken of the common herd is
> > > > not the acme of excellence.
> > > > _______________________________________________
> > > > FX.php_List mailing list
> > > > FX.php_List at mail.iviking.org
> > > > http://www.iviking.org/mailman/listinfo/fx.php_list
> > >
> > > _______________________________________________
> > > FX.php_List mailing list
> > > FX.php_List at mail.iviking.org
> > > http://www.iviking.org/mailman/listinfo/fx.php_list
> > >
> >
> >
> > --
> > William Downs
> > Development and Support
> > BD Databases Ltd
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
--
William Downs
Development and Support
BD Databases Ltd
More information about the FX.php_List
mailing list