0

I have an action in file viewreport it is about ticket:

if(isset($_GET['closeticket']) == 'true')

{

$db->query("update tickets set status='Closed' where id='$id'");

header("Location: viewreport?id=".$id."");

But even an user can close a ticket that doesn't belong to him via url. So i want to block direct url action.

Here is the action

a href "viewreport?closeticket=true&id= <?php echo $id;?>" class="btn btn-danger" id="">Close</a>
Peter van der Wal
  • 11,141
  • 2
  • 21
  • 29
Mark Giese
  • 11
  • 1
  • Feel free to read about SQL injection, here's a related SO question: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – chelmertz Apr 24 '16 at 13:03
  • `if(isset($_GET['closeticket']) == 'true')` should be `if(isset($_GET['closeticket']))`. – v7d8dpo4 Apr 24 '16 at 13:04
  • 1. Prevent SQL injection. 2. Use POST instead. 3. Depend on an AUTH token, or server side verification (probably using php's `$_SESSION`). – hjpotter92 Apr 24 '16 at 13:06

2 Answers2

0

You should check if this operation belongs to the user via sessions or cookies.

it must be something like this

if($_SESSION["group"] == "Admin" ){
 // update operation.
}

I hope this would be helpful for you.

Eray İzgi
  • 36
  • 4
0

You should check if the user is allowed closing that report, before executing.

Thus something like:

if(isset($_GET['closeticket'])) 
{
    $userIsAllowed = true; // your magic here
    if ($userIsAllowed) {
        $db->query("update tickets set status='Closed' where id=" . $db->quote($id));
        header("Location: viewreport?id=".$id."");
    } else {
        echo "You're not allowed closing this ticket";
    }
}

Make sure to properly escape your queries as mentioned in the comments (by chelmertz)

Peter van der Wal
  • 11,141
  • 2
  • 21
  • 29
  • Is there any other method to block it via htaccess? Because it isn't working – Mark Giese Apr 24 '16 at 13:14
  • Did you change `$userIsAllowed = true; // your magic here` with real code to determine if the current user is admin or somehow other allowed to close that ticket? – Peter van der Wal Apr 24 '16 at 13:27
  • Thank you very much for your help , i don't want only admin to close that because if i would that is easy , but i want users to close their own tickets if they want. But they can close each-others ticket by url.Thats my problem – Mark Giese Apr 24 '16 at 13:32
  • Well, then write the following in PHP. 1. Get the id/name of the currently loged in user, 2. Get the id/name of the owner of that ticket. 3. `$userIsAllowed = $isAdmin || $resultOf1 == $resultOf2;` – Peter van der Wal Apr 24 '16 at 13:39
  • Thank you very much , I fixed it. – Mark Giese Apr 24 '16 at 19:21