1

I am new to php development and have been reading up on general security. I have an app which communicates with a PHP back end by posting parameters through a URL which is then processed on the server.

An example:

http://www.myserver.com/addcredit=99

However I'm sure I am correct in thinking that this is vulnerable, someone could maliciously inject their own parameters and add their own credit?

How would I protect against this and are there any useful materials people would recommend I look at to get a good understanding of security fundamentals in general?

thanks

Gayan
  • 2,845
  • 7
  • 33
  • 60
MattBlack
  • 3,616
  • 7
  • 32
  • 58
  • I guess this is $_GET and not $_POST. $_POST doesn't pass thru URL. But to answer your question, kindly read regarding SQL injection. :) – Rav Nov 22 '16 at 09:15
  • 1
    If you'd like to read up on some PHP security, see this link: http://phpsec.org/projects/guide/ for a bigger collection on information, see the following github page: https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md#php – Hespen Nov 22 '16 at 09:16
  • Check this answer http://stackoverflow.com/questions/12102670/php-form-example-which-will-encrypt-query-string-get-data-hiding-rather-tha – Gayan Nov 22 '16 at 09:17
  • Are you worried about application vulnerabilities like SQL injection, or the fact that anybody can "add an arbitrary amount of credits", whatever that means in your context, by changing the parameter? – Gabor Lengyel Nov 22 '16 at 23:23
  • Hi, yes it's the fact anyone could add credits to their accounts which I am looking to secure – MattBlack Nov 22 '16 at 23:27

2 Answers2

2

Do not use database ids for the credit card id. It makes it easy for users to access other users credit cards.

Use a random string that uniquely identifies the credit card

Nadir Latif
  • 3,690
  • 1
  • 15
  • 24
0

You can use some simple sanitization in this case:

$addcredit = intval($_GET['addcredit']);
icoder
  • 145
  • 2
  • 5