0

Before anyone comments about security issues, don't bother.

Let's say I have an index.php.

On this page there are various links pointing to 'home.php', but they all have different data stored in the href attributes. E.g:

Link 1: 'home.php?data=1&country=uk'

Link 2: 'home.php?data=95&country=us'

Users could easily just type in www.website.com/home.php?data=*&country=* and fill data in the URL to their liking.

What I am thinking is if I have a function that is ran when one of these links is clicked, which adds a value on to the URL before going to the destination. E.g:

Original link: www.website.com/home.php?data=1&country=uk Clicked link: www.website.com/home.php?data=1&country=uk&verify=a8c9gj113

What I can not work out is how to change the href data in HTML when clicking the link, before actually going to the destination.

My code is below (HTML is in a while loop pulling data from database)

<a href='home.php?data=". $results['id'] ."&country=". $results['country'] .' onclick='return verify();'>

Function:

function verify()
{
document.getElementById("verify").href=""; 
return true;
}

So for the HREF value in the function I am going to place the original URL (home.php?data=". $results['id'] ."&country=". $results['country'] .) plus an extra value. How can I do this?

In a PHP echo when you are adding a value from a variable or etc you simply just end the echo with quotes, then add dots as shown below:

echo "I am the". $whatami ."person in the world";

Is there anything like this for JavaScript? When I paste that PHP URL into the JavaScript function in .href="", it is just going to fail because I am closing the quotes.

I hope people understand what I'm saying.

If there is a better way to do this please tell me.

Adam Michalik
  • 9,678
  • 13
  • 71
  • 102
nulled
  • 383
  • 1
  • 5
  • 20
  • Check out: http://stackoverflow.com/questions/4145531/how-to-create-and-use-nonces May be you can take idea from there – Saqib Amin Jan 19 '16 at 12:22
  • 1
    If you're worried that users will change the inputs, then only give them the inputs they are *allowed* to change (and load/calculate the rest on the next page). E.g., `home.php?country=uk` and then in home.php, load the data from database by country code. – Piskvor left the building Jan 19 '16 at 12:25
  • 2
    Also, this is a security question by its very nature; the only way to *not* mention security is to not answer at all. In other words, what prevents me from bringing up the developer tools (as of 2016, built directly into all major browsers), changing the HREF, and *then* calling verify() on the altered attribute? Nothing prevents that, which makes the JS-side verification only useful against the least sophisticated attacker. – Piskvor left the building Jan 19 '16 at 12:32
  • Piskvor, I don't know why I didn't think of that. I guess we all get 'coders' block sometimes eh, cheers! Also by 'not mentioning security issues' I meant for people not to moan at me for using insecure methods lmao. – nulled Jan 19 '16 at 13:27

3 Answers3

2

I think you are looking for something like 

<a href='home.php?data=". $results['id'] ."&country=". $results['country'] .' class="ahref">
    <script>
    $(document).ready(function(){
        $(".ahref").click(function(){
            var url = $(this).attr('href');
            url = url + "mycode";
            window.location = url;

            return false;
        })
    })

    </script>
urfusion
  • 5,528
  • 5
  • 50
  • 87
0

Users could easily just type in.... implies that the question is about preventing users from accessing information they shouldn't be able to see, i.e. Security. But you started your post with ...about security issues, don't bother. So it far from clear what you actually expect in an answer.

You say you want to do this when the link is clicked - this means that it would need to be implemented client side, in Javascript. You can't implement security controls clientside.

It's easy to do serverside. The code below uses a static salt for the hash, but there are more complex solutions, e.g. using the session id would limit the reuse to the lifetime of the session id:

/**
 * add a set of parameers to a URL with a verifiable hash
 *
 * @param $args array - associative array of name/value pairs
 * @param $base string - URL to add args to
 * @return string - the completed URL
 */
function secure_url($args, $base)
{
$params='';
$join='';
ksort($args);
foreach($args as $k=>$v) {
    $params.=$join . urlencode($k) . '=' . urlencode($v);
    $join='&';
}
$chk=md5($params . SECURE_URL_HASH_SEED);
$params.=$join . 'chk=' . urlencode($chk);

$d=parse_url($base);
$out=$d['scheme'] ? $d['scheme'] . '://' : '';
$out.=($d['user'] . $d['password'])
        ? $d['user'] . ':' . $d['password'] . '@' : '';
$out.=$d['host'] . $d['path'];
$out.='?' . ($d['query'] ? $d['query'] . '&' . $params
        : $params);
$out.=$d['fragment'] ? '#' . $d['fragment'] : '';
return $out;
}

/**
 * validate arguments in the current URL
 *
 * @param array $args - associative array - only keys are used
 * @return bool - true if valid
 */
function verify_url($url=false)
{
if ($url) {
    $d=parse_url($url);
    parse_str($d['query'],$src);
} else {
    $src=$_GET;
}
ksort($args);
$paramlist='';
$join='';
foreach($args as $k=>$v) {
    $paramlist.=$join . urlencode($k) . '=' . urlencode($src[$k]);
    $join='&';
}
$chk=md5($paramlist . SECURE_URL_HASH_SEED);
$paramlist.="&chk=" . urlencode($chk);

return($chk===$src['chk']);
}

However this is not the appropriate means to prevent users from accessing information they shouldn't - the right way is to authenticate the request when it comes back to your server - the reason I happen to have the above code lying around is that there are some niche cases where using a session creates more problems than it solves.

symcbean
  • 47,736
  • 6
  • 59
  • 94
0
<script>
function verify(url)
{
    url = url + "something";
    window.location = url;
    return false;
}
</script>

<a onclick='return verify(this.href);' href='home.php?data=". $results['id'] ."&country=". $results['country'] .' >
Tijo
  • 1
  • 1