[FX.php List] Disallowing access thru modifying url?

Joel Shapiro jsfmp at earthlink.net
Wed Apr 26 11:25:10 MDT 2006 

Thanks so much Kevin, Hal, Derrick & Dan for your great responses.

Derrick's and Dan's suggestions sound quickest to implement, so I'll  
try them both out (and will report back with any discoveries &/or  
difficulties ;)

A terminology question, though:
You all mention using GET requests (or "params" [short for  
'parameters'?]).  I don't explicitly use "GET" anywhere.  Is GET just  
the term/concept for whenever the submission is contained in a URL --  
as opposed to within a Form, where the submission criteria are not  
shown in the URL?

FWIW:
My link is generated by the code:
<a href="page.php?recid=
    <?php
    $recordDetails=explode('.',$key2);
    $currentRecord=$recordDetails[0];
    echo $currentRecord;
    ?>">

(and for the new related records via a portal, for which I just added  
a 'recid' field:
<snip>
while($Data['rel::recid'][$prow]) {
    echo '<a href="page.php?recid='.$Data['rel::recid'][$prow].'">';
</snip>

Are these GET requests (or "params") by definition?

Thanks,
-Joel


On Apr 26, 2006, at 8:52 AM, DC wrote:

> As Kevin said, putting your parameters in hidden fields in a FORM  
> just hides the data a little better and prevents casual poking  
> around. But, anyone with a little skill with the curl utility could  
> send their own POST requests.
>
> You could generate/calculate random words that get put in a field  
> right alongside your record. Then, when you generate the GET param  
> just use the word instead of the serial number. That would make it  
> less likely that someone would guess the proper data to change it to.
>
> Or, how about obscuring the parameter value in the link you  
> generate with PHP. With more powerful encryption the links can get  
> ugly but they are secure.
>
> One user comment on the PHP manual page for the crypt() function  
> shows code that allows you to implement a shared key encrypt/ 
> decrypt algorithm.
>
> http://us3.php.net/manual/en/function.crypt.php
>
> That is pretty good security for just protecting GET param  
> manipulations. strongly encoded links will make it pretty much  
> impossible for the user to guess or hack.
>
> if you don't need a full shared key model for your system you could  
> just jimmy up a simple encoder yourself. take a look at  
> base64_encode() and base64_decode() functions - that will output a  
> pattern of ascii values that is pretty easy for the trained eye to  
> spot (the encoded strings typically end in an equals sign). But, as  
> with the hidden field, it will foil most casual snoopers because it  
> puts the actual data out of direct view.
>
> this command shows you sample base64_encode() output in the  
> commandline php (in macosx terminal.app not sure if this works in  
> windows CLI php):
>
> php -r 'echo base64_encode("1234") . "\n";'
>
> Add another symmetrical encoding before or after base64 if you want  
> more obscurity. i've encoded the next paragraph in one of the most  
> common symmetrical algorithms. See if you can decode it: (hint -  
> use only a single php function and it doesn't deal with numbers or  
> punctuation)
>
> Jung unf orra uvqqra ol fabj vf erirnyrq ol n gunj.
>
> you could also use the security model in FMP7/8 which allows record  
> level access control - which, i believe, protects even records  
> returned by a relationship/portal.
>
> hope that helps.
> dan
>
> Joel Shapiro had written:
>> Hi all
>> What ways are there to limit record access to *only* clicked-on  
>> links?
>> When I get a list of records, clicking on any one of them links  
>> to  their respective url, e.g.:
>> http://127.0.0.1/page.php?recid=1234
>> I do not want someone to be able to edit the url in their browser  
>> to  view recid=6789
>> (I do open in a new browser window without the Address Bar, but   
>> certainly someone could get around that)
>> I had been using a simple IF clause at the top of page.php to  
>> ensure  that the record's Parent_ID field match a previously set  
>> Session  variable, but now I need to allow the viewing of other  
>> records  (related further down the pipe) and such an IF clause is  
>> no longer so  simple.
>> The recent thread betwen Dan and Kevin on using forms with hidden   
>> inputs and javascript seems like one option:
>> <FORM NAME="sub" METHOD="POST" ACTION="file1.php">
>> <input type="hidden" id="data" name="data" value="mydata">
>> </FORM>
>> <a href="file2.php"
>> ONCLICK="document.sub.submit(); return false;"
>> target="_blank">LINK TEXT HERE</a>
>> What other options are there?
>> TIA,
>> -Joel
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list