0

Suppose that I have below code:

<?php
    $html = ' 
        <form id="formA">
            <!-- Form for user another than admin goes here /--> ';

    if ($userrole == 'admin') {
        $html .= ' <!-- Form for admin goes here /--> ';
    }

    $html .= '
            <input type="submit" value="Submit" />
        </form> ';

    print $html;
?>

I think it's bad to implement a hidden interfaces on our webpages, especially when you are trying to use $_GET[''] on that $userrole, because the attacker might try abusing the query string on the URL to see if there is any debugging template on the page.

I know it's a bad implementation for developer, but I have no idea how to do that things securely. Any ideas? Thanks.

UPDATE 1

Is it just the same when I am trying to save the userrole information on a _SESSION and has the same checking part on the page like what I have mentioned above, which means, still has a hidden interfaces on the page?

UPDATE 2

Suppose I have these two tables:

tblUser

UserID    UserName    UserRole
 101       Abc         1
 102       Bcd         1
 103       Cde         2

tblRole

UserRole   RoleName    V    A    U    D
 1          Admin      1    1    1    1
 2          User       1    1    0    0

Note: V, A, U, D stand for VIEW, ADD, UPDATE and DELETE's authorization.

This code is to check the authorization of the user to View, Add, Update or Delete somethings on the page (seems it's different from the first question mentioned above).

Then, suppose that I've already session saved since the first login (I omit the code for login and storing the session - UserID and UserRole). And what I want to do below is, check each of the authorization and check using if condition.

$V = checkauth($_SESSION['UserRole'], 1);
$A = checkauth($_SESSION['UserRole'], 2);
$U = checkauth($_SESSION['UserRole'], 3);
$D = checkauth($_SESSION['UserRole'], 4);

if($V == 1) { //Do something here }
if($A == 1) { //Do something here }
if($U == 1) { //Do something here }
if($D == 1) { //Do something here }

function checkauth($userRole, $mode) {
    $q = " SELECT V, A, U, D FROM tblRole WHERE UserRole = '" . $userRole . "' ";
    //I omit the connection code since it's not important here (not the topic)
    $fetch = mysqli_fetch_array($r);

    switch($mode) {
        case '1': return $fetch[0]; break;
        case '2': return $fetch[1]; break;
        case '3': return $fetch[2]; break;
        case '4': return $fetch[3]; break;
    }
}

Is the code is quite secure to implement on the webpage? Or there is something better than this? I'm sure there is... Need your ideas, guys! :)

mrjimoy_05
  • 3,452
  • 9
  • 58
  • 95

1 Answers1

0

You should store their access level in the database. Not in the query string, Not in a cookie, and Not in a session. When they go to the page, check against the database if they have the correct access and display the correct html if they do.

Steve's a D
  • 3,801
  • 10
  • 39
  • 60
  • What is wrong with using a session upon retrieving their access level from the database? Would this not save additional queries against the database? It's what most of the companies I have worked with do :S – Ren Oct 26 '12 at 12:46
  • Sessions are more secure than cookies, but are still not secure. While it would save against additional queries against the database sometimes these queries are neccessary. Preventing an unauthorized user from gaining Admin access is neccessary. – Steve's a D Oct 26 '12 at 12:50
  • @Ren & Steve: Then you means is that using `$_SESSION` is better in this case? – mrjimoy_05 Oct 26 '12 at 12:50
  • 1
    You should use a `$_SESSION` variable to store a unique user identifier, then validate this against a database - or you would have to ask your users to login on every page refresh. – AlexP Oct 26 '12 at 12:51
  • @AlexP That was my thinking too – Steve's a D Oct 26 '12 at 12:55
  • I read up more on PHP sessions here :) http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables – Ren Oct 26 '12 at 13:00
  • 1
    Also save the IP to prevent session spoofing/hyjacking. IP addresses can be spoofed as well, but it's a little harder. – GolezTrol Oct 26 '12 at 13:09