1

I would like to ask that how can I improve the security when I am using $_GET['something']; ?

I mean, how can I prevent people from executing these "gets" directly from the adress bar? Because I have a test page where you can obtain XP and from the XP you gain level.

It looks like this:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
<label for="addxp"><font color="yellow">Add XP:</font></label> <input type="text" name="xpadd"><br>

<input type="submit">
</form>

$xpadd = $_GET['xpadd'];

    mysql_query("UPDATE users SET xp=xp + '" . $_GET['xpadd'] . "' WHERE user_id='" . $_SESSION['user_id'] . "'") ;

it is working, but when I type this into my browser's address bar: http://mywebsite.com/xp.php?xpadd=50 it adds 50 xp to my points. Could someone please tell me how can I prevent that?

Josh Crozier
  • 233,099
  • 56
  • 391
  • 304
Unrealxqt
  • 17
  • 4
  • 1
    Use nonces for that: http://stackoverflow.com/questions/4145531/how-to-create-and-use-nonces – Joren Nov 02 '13 at 21:20
  • 2
    Also, don't use the `mysql_` function, they are deprecated. use `mysqli` or `PDO` instead. It might also be a good idea to escape the values before inserting into the database. See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Joren Nov 02 '13 at 21:22
  • 1
    Having them being able to add XP is the least of your worries, you have a **SQL Injection** backdoor - left **wide** open – AlexP Nov 02 '13 at 21:22
  • Your script needs to check whether the user is allowed to add XP at this moment, plain and simple. This is not about URLs or `$_GET` or anything like that, it's a simple business logic problem you need to handle. – deceze Nov 02 '13 at 21:25
  • The only way of doing this securely is by doing it internally (all on the server, not via `$_GET`). Use `$_SESSION` or something like that. – Sumurai8 Nov 02 '13 at 21:25
  • @Sumurai8 yes it does. It will protect the server from people trying to insert information from a place they aren't supposed to. – Joren Nov 02 '13 at 21:32

2 Answers2

2

As you have said, anyone can execute this GET request - Therefore you can't stop people from doing so.

You need to validate, in your code, that the currently logged in user is allowed to perform such a command. Only once this validation is successful, then execute the update.

One option would be to hold a flag in the table and check this is either set/un-set (depending on your business logic)

For example:

SELECT 1 FROM users WHERE user_id = ? AND is_allowed_xp_update = 1

Only if this returns true then execute the update

UPDATE users SET xp = xp + ? WHERE userid = ? AND is_allowed_xp_update = 1

Also use an alternative database library then the mysql_* functions, they are outdated and offer little security for dynamic queries

AlexP
  • 9,906
  • 1
  • 24
  • 43
0

Basically, you can't. An experienced user can read HTML code of page and form a GET query (directly in browser's address bar) or a POST query (that would require some more work, but is still possible).

A secure server should never trust a client.

So you need some authorization code at server side. (It's not clear from your question who is allowed to use the addxp and who is not.)

nullptr
  • 11,008
  • 1
  • 23
  • 18